What is CVE-2023-47248?

CVE-2023-47248 is a vulnerability in Apache Software Foundation Pyarrow, classified under Deserialization of Untrusted Data. Published 2023-11-09.

Is CVE-2023-47248 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Apache Software Foundation Pyarrow

CVE-2023-47248

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for exam…

Vulnerability class: Insecure Deserialization

EPSS: 0.848 (99.4th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Pyarrow — versions 0.14.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

Prodigysec/pyarrow-CVE-2023-47248
fkie-cad/nvd-json-data-feeds
linhkolor/BankChurn_
linhkolor/SalesPrediction_
uscensusbureau/DAS_

References

lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n (vendor-advisory)
github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf (patch)
pypi.org/project/pyarrow-hotfix/ (mitigation)
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…

Frequently asked questions

What is CVE-2023-47248?: CVE-2023-47248 is a vulnerability in Apache Software Foundation Pyarrow, classified under Deserialization of Untrusted Data. Published 2023-11-09.
Is CVE-2023-47248 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.