CVE-2024-23346: Improper Neutralization of Special Elements used in a Command ('Command Injection')

February 21, 2024

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the JonesFaithfulTransformation.from_transformation_str() method within the pymatgen library prior to version 2024.2.20. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.

References

github.com/advisories/GHSA-vgv8-5cpj-qj2f
github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py
github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f

Detect and mitigate CVE-2024-23346 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →