PYSEC-2023-238

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyarrow/PYSEC-2023-238.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2023-238
Aliases
Published
2023-11-20T09:15:41.348653Z
Modified
2024-09-11T06:12:37.305327Z
Summary
[none]
Details

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

References

Affected packages

PyPI / pyarrow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.14.0
Fixed
14.0.1

Affected versions

0.*

0.14.0
0.14.1
0.15.0
0.15.1
0.16.0
0.17.0
0.17.1

1.*

1.0.0
1.0.1

2.*

2.0.0

3.*

3.0.0

4.*

4.0.0
4.0.1

5.*

5.0.0

6.*

6.0.0
6.0.1

7.*

7.0.0

8.*

8.0.0

9.*

9.0.0

10.*

10.0.0
10.0.1

11.*

11.0.0

12.*

12.0.0
12.0.1

13.*

13.0.0

14.*

14.0.0