2353639 – (CVE-2024-9880) CVE-2024-9880 pandas: Command Injection in pandas-dev/pandas

Bug 2353639 (CVE-2024-9880) - CVE-2024-9880 pandas: Command Injection in pandas-dev/pandas

Summary: CVE-2024-9880 pandas: Command Injection in pandas-dev/pandas

Keywords:
Status:	NEW
Alias:	CVE-2024-9880
Product:	Security Response
Classification:	Other
Component:	vulnerability-draft
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-20 11:05 UTC by OSIDB Bzimport
Modified:	2025-04-01 12:55 UTC (History)
CC List:	51 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-20 11:05:17 UTC

A command injection vulnerability exists in the `pandas.DataFrame.query` function of pandas-dev/pandas versions up to and including v2.2.2. This vulnerability allows an attacker to execute arbitrary commands on the server by crafting a malicious query. The issue arises from the improper validation of user-supplied input in the `query` function when using the 'python' engine, leading to potential remote command execution.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
anpicker
bdettelb
bparees
brking
caswilli
davidn
david.sastre
doconnor
haoli
hasun
hkataria
jajackso
jcammara
jeder
jforrest
jfula
jkoehler
jmitchel
jneedle
jowilson
jsamir
jwong
kaycoth
kegrant
kholdawa
koliveir
kshier
lcouzens
lphiri
mabashia
mskarbek
nyancey
omaciel
ometelka
pbraun
ptisnovs
relrod
shvarugh
simaishi
smcdonal
stcannon
sthirugn
syedriko
teagle
tfister
thavo
ttakamiy
vkrizan
xdharmai
yguenane