Home > Vulnerability Database > CVE-2024-23752

Mend.io Vulnerability Database

CVE-2024-23752

Date: January 21, 2024

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.

Language: Python

Severity Score

9.8

Related Resources (4)

Url: https://github.com/gventuri/pandas-ai

Url: https://github.com/gventuri/pandas-ai/issues/868

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23752

Url: https://www.mend.io/vulnerability-database/CVE-2024-23752

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Missing Authorization

CWE-862

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23752

Date: January 21, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?