9.8
CVSSv3

CVE-2024-52338

Published: 28/11/2024 Updated: 29/11/2024

Vulnerability Summary

Arbitrary Code Execution in Apache Arrow R Package Through Deserialization

The Apache Arrow R package versions from 4.0.0 to 16.1.0 have a problem. If an app reads Arrow IPC, Feather, or Parquet data from untrusted sources, it can execute any code. This vulnerability only affects the arrow R package, not other Apache Arrow versions or bindings unless they are used with the R package. For example, if an R app uses PyArrow through a Python interpreter and deals with untrusted data, it is still at risk if using a vulnerable arrow version. It is advised to update the arrow R package to version 17.0.0 or later. Also, downstream libraries should update their dependencies to the same version or later. If using a vulnerable version, untrusted data can be read into a Table. The workaround is to use the to_data_frame() method, like read_parquet(..., as_data_frame = FALSE)$to_data_frame(). The problem affects Apache Arrow R package versions 4.0.0 to 16.1.0. Users should upgrade to version 17.0.0 to fix the issue.

Vulnerability Trend

Mailing Lists

Severity: critical Affected versions: - Apache Arrow R package 400 through 1610 Description: Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 400 through 1610 allows arbitrary code execution An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrust ...