fkie_cve-2024-52338
Vulnerability from fkie_nvd
Published
2024-11-28 17:15
Modified
2024-11-29 15:15
Severity ?
Summary
Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it
reads Arrow IPC, Feather or Parquet data from untrusted sources (for
example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow
implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it
is recommended that downstream libraries upgrade their dependency
requirements to arrow 17.0.0 or later. If using an affected
version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()).
This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0.
Users are recommended to upgrade to version 17.0.0, which fixes the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions\u00a04.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it \nreads Arrow IPC, Feather or Parquet data from untrusted sources (for \nexample, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow \nimplementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it\n is recommended that downstream libraries upgrade their dependency \nrequirements to arrow 17.0.0 or later. If using an affected\nversion of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()).\n\n\nThis issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0.\n\n\nUsers are recommended to upgrade to version 17.0.0, which fixes the issue."
},
{
"lang": "es",
"value": "La deserializaci\u00f3n de datos no confiables en lectores IPC y Parquet en las versiones 4.0.0 a 16.1.0 del paquete Apache Arrow R permite la ejecuci\u00f3n de c\u00f3digo arbitrario. Una aplicaci\u00f3n es vulnerable si lee datos IPC, Feather o Parquet de Arrow de fuentes no confiables (por ejemplo, archivos de entrada proporcionados por el usuario). Esta vulnerabilidad solo afecta al paquete R arrow, no a otras implementaciones o enlaces de Apache Arrow a menos que esos enlaces se utilicen espec\u00edficamente a trav\u00e9s del paquete R (por ejemplo, una aplicaci\u00f3n R que incorpora un int\u00e9rprete de Python y utiliza PyArrow para leer archivos de fuentes no confiables sigue siendo vulnerable si el paquete R arrow es una versi\u00f3n afectada). Se recomienda que los usuarios del paquete R arrow actualicen a la versi\u00f3n 17.0.0 o posterior. De manera similar, se recomienda que las bibliotecas posteriores actualicen sus requisitos de dependencia a arrow 17.0.0 o posterior. Si se utiliza una versi\u00f3n afectada del paquete, se pueden leer datos no confiables en una tabla y se puede utilizar su m\u00e9todo interno to_data_frame() como soluci\u00f3n alternativa (por ejemplo, read_parquet(..., as_data_frame = FALSE)$to_data_frame()). Este problema afecta al paquete Apache Arrow R: desde la versi\u00f3n 4.0.0 hasta la 16.1.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 17.0.0, que soluciona el problema."
}
],
"id": "CVE-2024-52338",
"lastModified": "2024-11-29T15:15:17.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-11-28T17:15:48.690",
"references": [
{
"source": "security@apache.org",
"url": "https://github.com/apache/arrow/commit/801de2fbcf5bcbce0c019ed4b35ff3fc863b141b"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread/0rcbvj1gdp15lvm23zm601tjpq0k25vt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/11/28/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.