CVE-2024-23346

Description

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

How to fix CVE-2024-23346

To remediate CVE-2024-23346, upgrade the affected package to a fixed version below.

• —upgrade to 2022.11.7+dfsg1-11+deb12u1 or later
• —upgrade to 2022.11.7+dfsg1-11+deb12u1 or later
• —upgrade to 2024.2.20 or later
• —upgrade to c231cbd3d5147ee920a37b6ee9dd236b376bcf5a or later

Is CVE-2024-23346 being exploited?

Likely — EPSS is 59.3%, placing CVE-2024-23346 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

• from 0, < 2022.11.7+dfsg1-11+deb12u1
• from 0, < 2022.11.7+dfsg1-11+deb12u1
• from 0, < 2024.2.20
• from 0, < c231cbd3d5147ee920a37b6ee9dd236b376bcf5a, < c231cbd3d5147ee920a37b6ee9dd236b376bcf5a | from 0, < 2024.2.20

CVSS scores

References (9)

• ADVISORYgithub.com/advisories/GHSA-vgv8-5cpj-qj2f
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-23346
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-23346
• PATCHgithub.com/materialsproject/pymatgen