Dependency Check Report - Pandas 1.5.3 #7230
Comments
|
Do you have a suppression file configured? It looks like you probably do - which is why this is listed in the suppressed section. |
|
Hello The CVE-2024-9880 is present even in the latest version of Pandas. Has anyone figured out if this is a false positive? |
|
I do have an application, which runs pandas 2.2.1 and so far didnt get any vulnerability issue. Can anyone please confirm if CVE-2024-9880 is false positive? |
|
This is a better question for the Pandas project (or OSSIndex if you think their data is wrong). The ODC project just maps the data through. At least according to the official report at https://huntr.com/bounties/a49baae1-4652-4d6c-a179-313c21c41a8d which has developer input it says <=2.2.2 is affected so perhaps not a false.positive against 1.5.3. |
Through a Dependency Check Scan report it shows dependency issues with pandas 1.5.3 with Highest Severity: HIGH, CVE Count 1 and Evidence Count 3 and under identifiers it shows me pkg:pypi/pandas@1.5.3 (Confidence:Highest).
But other than that there arent any details given about the vulnerability and how critical it is. A lot of my applications are using Pandas 1.5.3 and I need to know more details to see how critical it is for the applications. Could you please help me with this.
Here are more details of the report:
pandas:1.5.3
CVE-2024-9880 (OSSINDEX) suppress
pandas - Code Injection
CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv2:
Base Score: HIGH (8.600000381469727)
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References:
OSSINDEX - [CVE-2024-9880] CWE-94: Improper Control of Generation of Code ('Code Injection')
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-9880
OSSIndex - https://huntr.com/bounties/a49baae1-4652-4d6c-a179-313c21c41a8d
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a::pandas:1.5.3:::::::
Suppressed Vulnerabilities
pandas:1.5.3
CVE-2020-13091 (OSSINDEX) suppressed
pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the read_pickle() function is documented as unsafe and it is the user's responsibility to use the function in a secure manner
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-13091 for details
CWE-502 Deserialization of Untrusted Data
Notes: file name: pandas:1.4.1
CVSSv3:
CRITICAL (9.800000190734863)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
OSSINDEX - [CVE-2020-13091] CWE-502: Deserialization of Untrusted Data
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13091
OSSIndex - https://advisories.gitlab.com/advisory/advpypi_pandas_CVE_2020_13091.html
OSSIndex - https://www.tenable.com/cve/CVE-2020-13091
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a::pandas:1.5.3:::::::
Could you please also tell me why is the same Pandas version under "Supressed Vulnerabilities" and how to kno if it is a false positive? Thanks in advance
The text was updated successfully, but these errors were encountered: