BUG: vulnerabilities found in the latest pandas v2.2.3

[OlgasAcc]

Pandas version checks

• I have checked that this issue has not already been reported.

• I have confirmed this bug exists on the latest version of pandas.

• I have confirmed this bug exists on the main branch of pandas.

Reproducible Example

Scan the latest version using Sonatype/Aqua security scanners.
Expected 2 vulns to be reported: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9880,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13091

Issue Description

There are 2 critical security vulnerabilities found in v2.2.3:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9880,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13091.

We didn't get response on email sent to security@tidelift.com.
These 2 issues block upcoming release of our project, could your team take a look and fix them asap?

Thanks

Expected Behavior

Should pass Sonatype and Aqua security scanners with no issues found.

Installed Versions

Replace this line with the output of pd.show_versions()

[rhshadrach]

Thanks for the report. When was the email sent to Tidelift? pandas has not been informed of any recent inquires.

Both these reports are disputed and pandas currently does not plan on making any changes to behavior.

[TomAugspurger]

FYI, security@tidelift.com is only intended for reporting vulnerabilities, not support with previously reported ones.

As noted in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13091, that CVE is disputed. That's behaving as intended and we don't consider it a vulnerability.

[OlgasAcc]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9880

@rhshadrach The email was sent on December, 15. Thanks for the update, will notify our security team about this.