=====================================================================

                              CERT-Renater

                    Note d'Information No. 2023/VULN465

_____________________________________________________________________

DATE                : 15/11/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PyArrow versions prior to 14.0.1.

=====================================================================
https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
_____________________________________________________________________


CVE-2023-47248: PyArrow, PyArrow: Arbitrary code execution when
loading a malicious data file


Severity: critical

Affected versions:

- PyArrow 0.14.0 through 14.0.0
- PyArrow 0.14.0 through 14.0.0

Description:

Deserialization of untrusted data in IPC and Parquet readers in
PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution.
An application is vulnerable if it reads Arrow IPC, Feather or
Parquet data from untrusted sources (for example user-supplied
input files).

This vulnerability only affects PyArrow, not other Apache Arrow
implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly,
it is recommended that downstream libraries upgrade their dependency
requirements to PyArrow 14.0.1 or later. PyPI packages are already
available, and we hope that conda-forge packages will be available
soon.

If it is not possible to upgrade, we provide a separate package
`pyarrow-hotfix` that disables the vulnerability on older PyArrow
versions. See  https://pypi.org/project/pyarrow-hotfix/  for
instructions.


References:

https://arrow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-47248


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================