Command Injection Affecting pymatgen package, versions [,2024.2.20)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-PYMATGEN-6261793
  • published 22 Feb 2024
  • disclosed 21 Feb 2024
  • credit William Khem-Marquez

How to fix?

Upgrade pymatgen to version 2024.2.20 or higher.

Overview

pymatgen is a Python Materials Genomics is a robust materials analysis code that defines core object representations for structures and molecules with support for many electronic structure codes. It is currently the core analysis code powering the Materials Project (https://materialsproject.org).

Affected versions of this package are vulnerable to Command Injection due to a flawed code segment involving a regular expression operation followed by the use of eval() function in the JonesFaithfulTransformation.from_transformation_str() method. An attacker can execute arbitrary code when parsing untrusted input.

CVSS Scores

version 3.1
Expand this section

Snyk

9.3 critical
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High