CVE-2024-23346: 
Python vulnerability analysis and mitigation

A critical security vulnerability (CVE-2024-23346) was discovered in the Pymatgen (Python Materials Genomics) library's JonesFaithfulTransformation.from_transformation_str() method prior to version 2024.2.20. The vulnerability was disclosed on February 21, 2024, affecting all versions up to 2024.2.8. This open-source Python library for materials analysis contained a critical flaw that could allow arbitrary code execution (GitHub Advisory).

The vulnerability exists in the JonesFaithfulTransformation.from_transformation_str() method, which insecurely utilizes the eval() function for processing input. Despite attempts to secure the eval() function by setting __builtins__ to None, the security measure could be bypassed through subclass traversal to recover the BuiltinImporter class. The vulnerability received a CVSS v3.1 base score of 9.3 (Critical) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code when parsing untrusted input, particularly through maliciously crafted CIF files. This could lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability has been patched in version 2024.2.20 of the Pymatgen library. Users are strongly advised to upgrade to this version or later. The fix involves replacing the unsafe eval() implementation with a more secure parsing mechanism using sympy (GitHub Advisory).