CVE-2024-23752

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Jan 22, 2024
Updated: Jan 29, 2024
CWE ID 862

Summary

CVE-2024-23752 is a newly disclosed vulnerability affecting the GenerateSDFPipeline function in synthetic_dataframe of PandasAI (pandas-ai) before version 1.5.18. This issue allows attackers to inject arbitrary Python code that gets executed by SDFCodeExecutor. The attacker can create a specification in English language format within a dataframe to trigger code generation. Notably, the vendor had previously attempted to mitigate code execution vulnerabilities, specifically CVE-2023-39660.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share