CVE-2024-23346
📋 TL;DR
CVE-2024-23346 is a critical remote code execution vulnerability in Pymatgen's JonesFaithfulTransformation.from_transformation_str() method that uses eval() on untrusted input. This allows attackers to execute arbitrary Python code when processing malicious input strings. All users of Pymatgen versions before 2024.2.20 are affected.
💻 Affected Systems
- Pymatgen (Python Materials Genomics)
📦 What is this software?
Pymatgen by Materialsvirtuallab
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the server, data exfiltration, lateral movement, and persistence establishment.
Likely Case
Arbitrary code execution in the context of the Pymatgen application, potentially leading to data theft, system manipulation, or further exploitation.
If Mitigated
Limited impact if input validation and sanitization are implemented, restricting exploitation to specific contexts.
🎯 Exploit Status
Exploitation requires the vulnerable method to be called with attacker-controlled input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.2.20
Vendor Advisory: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
Restart Required: No
Instructions:
1. Update Pymatgen using pip: pip install --upgrade pymatgen==2024.2.20
2. Verify the update completed successfully
3. Test application functionality to ensure compatibility
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to only allow expected transformation strings and reject any input containing potentially dangerous characters.
Method Restriction
allDisable or restrict access to the JonesFaithfulTransformation.from_transformation_str() method if not required for functionality.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all inputs to the vulnerable method
- Isolate the vulnerable application in a restricted network segment with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check if Pymatgen version is below 2024.2.20 and if the application uses JonesFaithfulTransformation.from_transformation_str() method with user input.Check Version:
python -c "import pymatgen; print(pymatgen.__version__)"Verify Fix Applied:
Verify Pymatgen version is 2024.2.20 or higher and test that the method no longer accepts malicious input.📡 Detection & Monitoring
Log Indicators:
- Unusual Python execution errors
- Suspicious import statements in transformation strings
- Unexpected system commands in application logs
Network Indicators:
- Unusual outbound connections from Pymatgen application
- Data exfiltration patterns
SIEM Query:
source="application.logs" AND ("JonesFaithfulTransformation" OR "from_transformation_str") AND ("eval" OR "import" OR "os.system" OR "subprocess")🔗 References
- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
- https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
