CVE-2024-52338

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Nov 28, 2024
Updated: Nov 29, 2024
CWE ID 502

Summary

CVE-2024-52338 is a deserialization vulnerability affecting versions 4.0.0 to 16.1.0 of the Apache Arrow R package. Maliciously crafted data in IPC, Feather, or Parquet formats can lead to arbitrary code execution if read by applications using the arrow R package. The issue arises due to the untrusted data deserialization in IPC and Parquet readers. This vulnerability only impacts the arrow R package and not other implementations or bindings unless they are used via the R package. Users and downstream libraries are advised to upgrade to arrow version 17.0.0 or later to address the issue. As a workaround, users can modify the to_data_frame() method in the affected package to prevent data deserialization.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share