[Qgis-user] QGIS 3.40.2 - suspected vulnerability in Python libraries

Wed Jan 22 04:31:58 PST 2025

Dear QGIS team,

I hope this email finds you well.

Our vulnerability scan detected a vulnerability in the Python libraries in QGIS 3.4.0.2<http://3.4.0.2>.
The report states:
"The version of the Pandas library installed on the remote host has an unpatched exposure. It is, therefore, affected by a code injection vulnerability in the pandas.DataFrame.query function. The function is intended to allow querying the columns of a DataFrame using a boolean expression. A malicious attacker can constructs a malicious query to bypass input validation mechanisms and trigger a code injection vulnerability which can lead to command execution if the code passes untrusted input into self.eval()."

The library is stored in this directory: C:\Program Files\QGIS 3.40.2\apps\Python312\Lib.

Could you please advice as to whether this is a false positive or a known issue?

Thank you.

Kind regards,

[cid:image001.png at 01DB6CC9.96C7BBA0]<https://www.brydenwood.co.uk/>

Matteo Cassio

Senior IT Systems Engineer

MCassio at brydenwood.co.uk<mailto:MCassio at brydenwood.co.uk>
+44 (0)20 7253 4772
101 Euston Road
London
NW1 2RA

[cid:image002.png at 01DB6CC9.96C7BBA0]<https://www.brydenwood.co.uk/>

[cid:image003.jpg at 01DB6CC9.96C7BBA0]<https://www.brydenwood.co.uk/>

[cid:image004.png at 01DB6CC9.96C7BBA0]<https://www.linkedin.com/company/brydenwoodtechnology/>[cid:image005.png at 01DB6CC9.96C7BBA0]<https://twitter.com/BrydenWood>[cid:image006.png at 01DB6CC9.96C7BBA0]<https://www.youtube.com/c/BrydenWoodTech>[cid:image007.png at 01DB6CC9.96C7BBA0]<https://www.instagram.com/brydenwoodtech/>[cid:image008.png at 01DB6CC9.96C7BBA0]<https://www.facebook.com/brydenwoodtech/>

________________________________

Registered Company Address
Plurenden Manor Farm,
Plurenden Lane,
High Halden,
Kent, TN26 3JW

Bryden Wood
Technology Limited
Registered Company
No 05750083
VAT Registered 876 8921 58

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4401 bytes
Desc: image001.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2472 bytes
Desc: image002.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 19516 bytes
Desc: image003.jpg
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 2680 bytes
Desc: image004.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2676 bytes
Desc: image005.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 2412 bytes
Desc: image006.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 3228 bytes
Desc: image007.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 3019 bytes
Desc: image008.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250122/78eae8b5/attachment-0013.png>