CVE-2023-47248
published 2023-11-09CVE-2023-47248: Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.41%
96.2th percentile
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | pyarrow | 0.14.0 – 14.0.0 | — |
| apache_software_foundation | pyarrow | >= 0.14.0 < 14.0.1 | 14.0.1 |
| apache_software_foundation | pyarrow | 0.14.0 – 14.0.0 | — |
| debian | apache-arrow | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
vendor_oracle9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-47248: Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0
osv·2023-11-20
CVE-2023-47248 CVE-2023-47248: Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
OSV
Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
osv·2023-11-17·CVSS 9.8
[CRITICAL] Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
### Impact
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
Note that Ibis itself makes **extremely limited** use of `pyarrow.parquet.read_table`:
1. `read_table` is used in tests, where the input file is entirely controlled by the Ibis developers
2. `read_table` is used in the `ibis/examples/__init__.py` as a fallback for backends that don't support reading Parquet directly. Parquet dat
GHSA
Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
ghsa·2023-11-17·CVSS 9.8
[CRITICAL] CWE-502 Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
Ibis PyArrow dependency allows arbitrary code execution when loading a malicious data file
### Impact
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
Note that Ibis itself makes **extremely limited** use of `pyarrow.parquet.read_table`:
1. `read_table` is used in tests, where the input file is entirely controlled by the Ibis developers
2. `read_table` is used in the `ibis/examples/__init__.py` as a fallback for backends that don't support reading Parquet directly. Parquet dat
OSV
PyArrow: Arbitrary code execution when loading a malicious data file
osv·2023-11-09
CVE-2023-47248 [CRITICAL] PyArrow: Arbitrary code execution when loading a malicious data file
PyArrow: Arbitrary code execution when loading a malicious data file
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, maintainers provide a separate package `pyarrow-ho
GHSA
PyArrow: Arbitrary code execution when loading a malicious data file
ghsa·2023-11-09
CVE-2023-47248 [CRITICAL] CWE-502 PyArrow: Arbitrary code execution when loading a malicious data file
PyArrow: Arbitrary code execution when loading a malicious data file
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, maintainers provide a separate package `pyarrow-ho
VulnCheck
Apache pyarrow Deserialization of Untrusted Data
vulncheck·2023·CVSS 9.8
CVE-2023-47248 [CRITICAL] Apache pyarrow Deserialization of Untrusted Data
Apache pyarrow Deserialization of Untrusted Data
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulne
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Installer (PyArrow) — CVE-2023-47248
vendor_oracle·2024-07-15·CVSS 9.8
CVE-2023-47248 [CRITICAL] Oracle Oracle Financial Services Applications Risk Matrix: Installer (PyArrow) — CVE-2023-47248
Oracle Oracle Financial Services Applications Risk Matrix: Installer (PyArrow) vulnerability
CVE: CVE-2023-47248
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Debian
CVE-2023-47248: apache-arrow - Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions...
vendor_debian·2023·CVSS 9.8
CVE-2023-47248 [CRITICAL] CVE-2023-47248: apache-arrow - Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions...
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.
No detection rules found.
Nuclei
PyArrow Flight RPC - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-47248 [CRITICAL] PyArrow Flight RPC - Remote Code Execution
PyArrow Flight RPC - Remote Code Execution
PyArrow Flight RPC from v0.14.0 through v14.0.0 allows remote attackers to execute arbitrary code via a maliciously crafted Python-defined extension type.
Template:
id: CVE-2023-47248
info:
name: PyArrow Flight RPC - Remote Code Execution
author: smolse
severity: critical
description: |
PyArrow Flight RPC from v0.14.0 through v14.0.0 allows remote attackers to execute arbitrary code via a maliciously crafted Python-defined extension type.
impact: |
Unauthenticated attackers can exploit deserialization vulnerabilities through maliciously crafted Python-defined extension types in Flight RPC to execute arbitrary code and completely compromise PyArrow installations.
remediation: |
Upgrade to PyArrow v14.0.1 or later.
reference:
- https://nvd.nist.
Qualys
Oracle Critical Patch Update, July 2024 Security Update Review
blogs_qualys·2024-07-17
Oracle Critical Patch Update, July 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middleware foll
Qualys
Oracle Critical Patch Security Update: July 2024 Review | Qualys
blogs_qualys·2024-07-17
Oracle Critical Patch Security Update: July 2024 Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middlewa
https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecfhttps://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7nhttps://lists.fedoraproject.org/archives/list/[email protected]/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/https://lists.fedoraproject.org/archives/list/[email protected]/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/https://lists.fedoraproject.org/archives/list/[email protected]/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/https://pypi.org/project/pyarrow-hotfix/https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecfhttps://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7nhttps://lists.fedoraproject.org/archives/list/[email protected]/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/https://lists.fedoraproject.org/archives/list/[email protected]/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/https://lists.fedoraproject.org/archives/list/[email protected]/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/https://pypi.org/project/pyarrow-hotfix/
2023-11-09
Published
Exploited in the wild