CVE-2023-47248: 
Python vulnerability analysis and mitigation

CVE-2023-47248 is a critical vulnerability affecting PyArrow versions 0.14.0 to 14.0.0, discovered in November 2023. The vulnerability involves deserialization of untrusted data in IPC and Parquet readers, which could allow arbitrary code execution. This security flaw specifically affects PyArrow, the Python bindings for Apache Arrow, and does not impact other Apache Arrow implementations or bindings (NVD, SecurityOnline).

The vulnerability is classified with a CVSS v3.1 Base Score of 9.8 (CRITICAL), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The flaw is identified as CWE-502 (Deserialization of Untrusted Data). The vulnerability specifically affects applications that read Arrow IPC, Feather, or Parquet data from untrusted sources, such as user-supplied input files (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary code on vulnerable systems. This is particularly concerning for data scientists and analysts who frequently work with data from untrusted sources, such as public datasets or data provided by external collaborators. The potential impact includes full system compromise, allowing attackers to steal data, install malware, or launch additional attacks (SecurityOnline).

Users are strongly recommended to upgrade to PyArrow version 14.0.1 or later. For cases where immediate upgrade is not possible, a separate package called 'pyarrow-hotfix' has been provided to disable the vulnerability on older PyArrow versions. Downstream libraries are advised to upgrade their dependency requirements to PyArrow 14.0.1 or later (PyArrow-Hotfix).