Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-23346
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Pymatgen 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pymatgen是一个用于材料分析的开源 Python 库。 Pymatgen 2024.2.20之前版本存在安全漏洞,该漏洞源于不安全地利用eval()函数来处理输入,从而在解析不受信任的输入时能够执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
materialsprojectpymatgen < 2024.2.20 -
II. Public POCs for CVE-2024-23346
#POC DescriptionSource LinkShenlong Link
1This repository contains a Crystallographic Information File (CIF) intended for use on the "Chemistry" machine on Hack The Box (HTB).https://github.com/9carlo6/CVE-2024-23346POC Details
2This is an exploit for CVE-2024-23346 that acts as a "terminal" (tested on chemistry.htb)https://github.com/MAWK0235/CVE-2024-23346POC Details
3PoC of the vulnerability CVE-2024-23346https://github.com/Sanity-Archive/CVE-2024-23346POC Details
4A Rust exploit for CVE-2024-23346 that functions as a "terminal" (tested on chemistry.htb)https://github.com/szyth/CVE-2024-23346-rust-exploitPOC Details
5This is a exploit for the known Remote Code Execution (RCE) vulnerability in the `pymatgen` (CVE-2024-23346) Python library by uploading a malicious `CIF` file to the hosted `CIF Analyzer` website on the target running on the Chemistry machine from Hack the Box.https://github.com/DAVIDAROCA27/CVE-2024-23346-exploitPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2024-23346
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: pymatgen
Same weakness: CWE-77
V. Comments for CVE-2024-23346

No comments yet

Leave a comment