[Qgis-user] QGIS 3.40.2 - suspected vulnerability in Python libraries

[Matteo Cassio via QGIS-User]

Dear QGIS team,

I hope this email finds you well.

Our vulnerability scan detected a vulnerability in the Python libraries in QGIS 
3.4.0.2<http://3.4.0.2>.
The report states:
"The version of the Pandas library installed on the remote host has an 
unpatched exposure. It is, therefore, affected by a code injection 
vulnerability in the pandas.DataFrame.query function. The function is intended 
to allow querying the columns of a DataFrame using a boolean expression. A 
malicious attacker can constructs a malicious query to bypass input validation 
mechanisms and trigger a code injection vulnerability which can lead to command 
execution if the code passes untrusted input into self.eval()."

The library is stored in this directory: C:\Program Files\QGIS 
3.40.2\apps\Python312\Lib.

Could you please advice as to whether this is a false positive or a known issue?

Thank you.

Kind regards,


[cid:image001.png@01DB6CC9.96C7BBA0]<https://www.brydenwood.co.uk/>

Matteo Cassio

Senior IT Systems Engineer

mcas...@brydenwood.co.uk<mailto:mcas...@brydenwood.co.uk>
+44 (0)20 7253 4772
101 Euston Road
London
NW1 2RA


[cid:image002.png@01DB6CC9.96C7BBA0]<https://www.brydenwood.co.uk/>

[cid:image003.jpg@01DB6CC9.96C7BBA0]<https://www.brydenwood.co.uk/>

[cid:image004.png@01DB6CC9.96C7BBA0]<https://www.linkedin.com/company/brydenwoodtechnology/>[cid:image005.png@01DB6CC9.96C7BBA0]<https://twitter.com/BrydenWood>[cid:image006.png@01DB6CC9.96C7BBA0]<https://www.youtube.com/c/BrydenWoodTech>[cid:image007.png@01DB6CC9.96C7BBA0]<https://www.instagram.com/brydenwoodtech/>[cid:image008.png@01DB6CC9.96C7BBA0]<https://www.facebook.com/brydenwoodtech/>

________________________________

Registered Company Address
Plurenden Manor Farm,
Plurenden Lane,
High Halden,
Kent, TN26 3JW

Bryden Wood
Technology Limited
Registered Company
No 05750083
VAT Registered 876 8921 58


_______________________________________________
QGIS-User mailing list
QGIS-User@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user