SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-23346

CVE-2024-23346: Pymatgen Library RCE Vulnerability

CVE-2024-23346 is a remote code execution vulnerability in the Pymatgen library caused by insecure use of eval() in the JonesFaithfulTransformation method. This article covers technical details, affected versions, and patches.

Updated:

CVE-2024-23346 Overview

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the JonesFaithfulTransformation.from_transformation_str() method within the pymatgen library prior to version 2024.2.20. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

Critical Impact

This vulnerability can lead to arbitrary code execution and potentially full system compromise if exploited.

Affected Products

  • materialsvirtuallab pymatgen

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to materialsvirtuallab
  • Not Available - CVE CVE-2024-23346 assigned
  • Not Available - materialsvirtuallab releases security patch
  • 2024-02-21T17:15:09.377 - CVE CVE-2024-23346 published to NVD
  • 2025-02-05T22:10:07.683 - Last updated in NVD database

Technical Details for CVE-2024-23346

Vulnerability Analysis

The vulnerability exists in the JonesFaithfulTransformation.from_transformation_str() method. The use of eval() to interpret user inputs allows for arbitrary code execution if the input is not properly sanitized. This could be exploited by an attacker who provides malicious input designed to execute arbitrary Python code.

Root Cause

The root cause is the improper use of eval() in processing input strings without proper validation or sanitization.

Attack Vector

The attack is local, requiring the ability to supply crafted input that is processed by the vulnerable method.

python
# Example exploitation code (sanitized)
def exploit_vuln(input_str):
    # Danger: eval used without validation
    eval(input_str)

exploit_vuln("__import__('os').system('ls')")

Detection Methods for CVE-2024-23346

Indicators of Compromise

  • Unusual processes spawned from the Python application
  • Logs showing unexpected inputs to JonesFaithfulTransformation.from_transformation_str()
  • Suspicious eval() calls in logs or execution traces

Detection Strategies

Utilize application logs to monitor the inputs processed by the from_transformation_str() method and detect inappropriate use of eval(). Leverage EDR tools to trace process execution flows stemming from the application.

Monitoring Recommendations

Implement logging of input parameters to the vulnerable method and review log files for patterns indicative of malicious activity. Employ real-time monitoring on systems running pymatgen to detect anomalous behavior.

How to Mitigate CVE-2024-23346

Immediate Actions Required

  • Upgrade to pymatgen version 2024.2.20 or later
  • Restrict access to systems running vulnerable versions
  • Implement input validation and sanitization before processing

Patch Information

The vulnerability is patched in version 2024.2.20, available via pip install pymatgen --upgrade.

Workarounds

If upgrading is not possible immediately, consider patching the source code to replace eval() with a safe parser, or isolate the vulnerable code execution environment to prevent potential compromises.

bash
# Configuration example
pip install pymatgen==2024.2.20

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne