CVE-2024-23752

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Jan 22, 2024

Updated: Jan 29, 2024

CWE ID 862

Summary

CVE-2024-23752 is a newly disclosed vulnerability affecting the GenerateSDFPipeline function in synthetic_dataframe of PandasAI (pandas-ai) before version 1.5.18. This issue allows attackers to inject arbitrary Python code that gets executed by SDFCodeExecutor. The attacker can create a specification in English language format within a dataframe to trigger code generation. Notably, the vendor had previously attempted to mitigate code execution vulnerabilities, specifically CVE-2023-39660.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/uO5hQl
https://www.cve.org/CVERecord?id=CVE-2024-23752
https://nvd.nist.gov/vuln/detail/CVE-2024-23752

Back to Vulnerability Database

CVE-2024-23752

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations