CVE-2023-47248: PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file
First published: Thu Nov 09 2023(Updated: )
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, maintainers provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/pyarrow | >=0.14.0<14.0.1 | 14.0.1 |
| Apache Pyarrow | >=0.14.0<=14.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf
- https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/
- https://pypi.org/project/pyarrow-hotfix/
- https://nvd.nist.gov/vuln/detail/CVE-2023-47248
- https://github.com/advisories/GHSA-5wvp-7f3h-6wmm (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2023-238.yaml
- https://www.cve.org/CVERecord?id=CVE-2023-47248
- https://www.openwall.com/lists/oss-security/2023/11/08/7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL
- https://pypi.org/project/pyarrow-hotfix
Frequently Asked Questions
What is CVE-2023-47248?
CVE-2023-47248 is a vulnerability in PyArrow that allows arbitrary code execution when loading a malicious data file.
Which versions of PyArrow are affected by CVE-2023-47248?
PyArrow versions 0.14.0 to 0.14.0 are affected by CVE-2023-47248.
How does CVE-2023-47248 occur?
CVE-2023-47248 occurs due to deserialization of untrusted data in IPC and Parquet readers in PyArrow.
How can I fix CVE-2023-47248?
To fix CVE-2023-47248, update PyArrow to version 0.14.1 or higher.
Is CVE-2023-47248 a remote code execution vulnerability?
Yes, CVE-2023-47248 allows for arbitrary code execution when loading a malicious data file.
- collector/nvd-api
- agent/type
- agent/author
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/title
- agent/weakness
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5wvp-7f3h-6wmm
- alias/CVE-2023-47248
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- collector/nvd-cve
- source/NVD
- agent/tags
- collector/github-advisory
- vendor/apache
- canonical/apache pyarrow
- version/apache pyarrow/0.14.0
- version/apache pyarrow/14.0.0
- package-manager/pip