- Description
- Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-supplied input files). This vulnerability only affects the arrow R package, not other Apache Arrow implementations or bindings unless those bindings are specifically used via the R package (for example, an R application that embeds a Python interpreter and uses PyArrow to read files from untrusted sources is still vulnerable if the arrow R package is an affected version). It is recommended that users of the arrow R package upgrade to 17.0.0 or later. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to arrow 17.0.0 or later. If using an affected version of the package, untrusted data can read into a Table and its internal to_data_frame() method can be used as a workaround (e.g., read_parquet(..., as_data_frame = FALSE)$to_data_frame()). This issue affects the Apache Arrow R package: from 4.0.0 through 16.1.0. Users are recommended to upgrade to version 17.0.0, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-502
- Hype score
- Not currently trending
🚨 A Critical vulnerability exist in Apache Software Foundation, Arrow R package (CVE-2024-52338). See the @ncsc_gov_ie for more info: https://t.co/hkk5DfrkgP
@ncsc_gov_ie
13 Dec 2024
145 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Arrow R の脆弱性 CVE-2024-52338 が FIX:任意のコード実行が可能に https://t.co/pOd34oUeiP このブログでは初登場の Arrow なので、調べてみたら、「Apache Arrow 覚え書き」という記事が、Qiita にポストされていました。 Apache Arrow… https://t.co/H7SQbDFIiK
@iototsecnews
9 Dec 2024
116 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Arrow affected by CVE-2024-52338 Code Execution Flaw #ApacheArrow #CVE-2024-52338 https://t.co/1mXOPVmgnw
@pravin_karthik
2 Dec 2024
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52338: Critical Security Flaw in Apache Arrow R Package Allows Arbitrary Code Execution https://t.co/IqUBsR6oOw
@CrowdCyber_Com
30 Nov 2024
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52338: Critical Security Flaw in Apache Arrow R Package Allows Arbitrary Code Execution https://t.co/aJa51qM50h
@VulnVanguard
30 Nov 2024
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52338: Critical Security Flaw in Apache Arrow R Package Allows Arbitrary Code Execution https://t.co/XukCQJ6LjT
@Dinosn
30 Nov 2024
1529 Impressions
1 Retweet
4 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2024-52338: Critical Security Flaw in Apache Arrow R Package Allows Arbitrary Code Execution https://t.co/IqUBsR6oOw
@CrowdCyber_Com
30 Nov 2024
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52338: Critical Security Flaw in Apache Arrow R Package Allows Arbitrary Code Execution Stay protected from CVE-2024-52338 vulnerability in the Apache Arrow R package. Learn about the critical security flaw and its potential impact. https://t.co/rRu8E1bMQG
@the_yellow_fall
30 Nov 2024
305 Impressions
0 Retweets
9 Likes
1 Bookmark
0 Replies
0 Quotes
CVE number = CVE-2024-52338 Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. https://t.co/GnOQPPOXGf
@SystemTek_UK
29 Nov 2024
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52338 Arbitrary Code Execution in Apache Arrow R Package Through Deserialization The Apache Arrow R package versions from 4.0.0 to 16.1.0 have a problem. If an app reads Arrow IPC, Feather, or Parquet da... https://t.co/GZcigFQd7V
@VulmonFeeds
28 Nov 2024
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52338: Apache Arrow R package: Arbitrary code execution when loading a malicious data file https://t.co/9R6EovAU0V
@oss_security
28 Nov 2024
227 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-52338 Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An applicati… https://t.co/ljFh83ffEy
@CVEnew
28 Nov 2024
432 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes