CVE-2023-47248
Deserialization of Untrusted Data vulnerability in pyarrow (PyPI)
What is CVE-2023-47248 About?
This vulnerability in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution via deserialization of untrusted data in IPC and Parquet readers. An application is vulnerable if it reads Arrow IPC, Feather, or Parquet data from untrusted sources. Exploitation requires providing malicious data, making it moderately difficult.
Affected Software
Technical Details
PyArrow versions 0.14.0 to 14.0.0 are vulnerable to arbitrary code execution due to improper handling of untrusted data during deserialization within its IPC and Parquet readers. The vulnerability occurs when an application processes Arrow IPC, Feather, or Parquet data from an untrusted source, such as user-supplied input files. The deserialization process, specifically of certain object types or structures within these data formats, lacks sufficient security checks. This allows a malicious actor to embed executable code or commands within the data, which are then executed during the deserialization process, leading to arbitrary code execution within the context of the PyArrow application. This issue is specific to PyArrow and does not affect other Apache Arrow implementations.
What is the Impact of CVE-2023-47248?
Successful exploitation may allow attackers to execute arbitrary code, compromise the integrity, confidentiality, and availability of data, or gain full control of the affected system.
What is the Exploitability of CVE-2023-47248?
Exploitation of this vulnerability requires a moderate level of technical skill, as an attacker needs to craft a specific malicious data payload (Arrow IPC, Feather, or Parquet format) that leverages the deserialization flaw. Prerequisites include the ability to provide untrusted data files to an application using the vulnerable PyArrow library. This is typically a remote attack if the application accepts file uploads or data streams from external sources. No specific authentication or privilege requirements are strictly tied to the vulnerability itself, though the application's access control might limit who can supply input. Risk factors include applications that process data from untrusted sources without rigorous validation or sandboxing measures, increasing the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-47248?
About the Fix from Resolved Security
Available Upgrade Options
- pyarrow
- >0.14.0, <14.0.1 → Upgrade to 14.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pypi.org/project/pyarrow-hotfix
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU
- https://github.com/advisories/GHSA-5wvp-7f3h-6wmm
- https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
- https://www.cve.org/CVERecord?id=CVE-2023-47248
- https://www.openwall.com/lists/oss-security/2023/11/08/7
- https://nvd.nist.gov/vuln/detail/CVE-2023-47248
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL
- https://github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2023-238.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X
What are Similar Vulnerabilities to CVE-2023-47248?
Similar Vulnerabilities: CVE-2017-7657 , CVE-2020-9543 , CVE-2020-9546 , CVE-2021-21394 , CVE-2022-21449
