HIGH 7.8
PYSEC-2024-226
Details
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / pymatgen
Introduced in:
0 Fixed in: c231cbd3d5147ee920a37b6ee9dd236b376bcf5a Fix
pip install --upgrade 'pymatgen>=c231cbd3d5147ee920a37b6ee9dd236b376bcf5a' References
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f [ADVISORY]
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f [EVIDENCE]
- https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346 [EVIDENCE]
- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a [FIX]
- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108 [WEB]
- https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346 [WEB]
- https://github.com/advisories/GHSA-vgv8-5cpj-qj2f [ADVISORY]