yfinance-0.2.27-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 8.4) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - yfinance-0.2.27-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: b2b2eb325dc81df00162fc7b87524324be1c6492

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (yfinance version)	Remediation Possible**
CVE-2024-9880	High	8.4	pandas-1.3.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-9880

Vulnerable Library - pandas-1.3.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Powerful data structures for data analysis, time series, and statistics

Library home page: https://files.pythonhosted.org/packages/3e/0c/23764c4635dcb0a784a787498d56847b90ebf974e65f4ab4053a5d97b1a5/pandas-1.3.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• yfinance-0.2.27-py2.py3-none-any.whl (Root Library)
  • ❌ pandas-1.3.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: b2b2eb325dc81df00162fc7b87524324be1c6492

Found in base branch: main

Vulnerability Details

A command injection vulnerability exists in the "pandas.DataFrame.query" function of pandas-dev/pandas versions up to and including v2.2.2. This vulnerability allows an attacker to execute arbitrary commands on the server by crafting a malicious query. The issue arises from the improper validation of user-supplied input in the "query" function when using the 'python' engine, leading to potential remote command execution.

Publish Date: 2025-03-20

URL: CVE-2024-9880

CVSS 3 Score Details (8.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.