PYSEC-2023-238

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyarrow/PYSEC-2023-238.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-238

Aliases

CVE-2023-47248
GHSA-5wvp-7f3h-6wmm

Published

2023-11-20T09:10:54.169318Z

Modified

2023-11-20T09:26:47.189113Z

Summary

[none]

Details

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

References

https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
https://www.openwall.com/lists/oss-security/2023/11/08/7
https://github.com/advisories/GHSA-5wvp-7f3h-6wmm
https://www.cve.org/CVERecord?id=CVE-2023-47248
https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf
https://pypi.org/project/pyarrow-hotfix/

Affected packages

PyPI / pyarrow

Package

Name: pyarrow; View open source insights on deps.dev
Purl: pkg:pypi/pyarrow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.14.0

Fixed

14.0.1

Affected versions

0.*

0.14.0

0.14.1

0.15.0

0.15.1

0.16.0

0.17.0

0.17.1

1.*

1.0.0

1.0.1

2.*

2.0.0

3.*

3.0.0

4.*

4.0.0

4.0.1

5.*

5.0.0

6.*

6.0.0

6.0.1

7.*

7.0.0

8.*

8.0.0

9.*

9.0.0

10.*

10.0.0

10.0.1

11.*

11.0.0

12.*

12.0.0

12.0.1

13.*

13.0.0

14.*

14.0.0