[Qgis-user] QGIS 3.40.2 - suspected vulnerability in Python libraries

Thu Jan 23 01:20:13 PST 2025

Hi Regis,

Thank you for your email.

Please find attached the html report for the vulnerability. Within you can find all the details.
I am aware that the vulnerability scanner is likely to pick up false positives, this is why I would like to check with you whether this is the case or if the application is actually vulnerable.

Thank you for your help.

Kind regards,

[cid:image001.png at 01DB6D76.FE445060]<https://www.brydenwood.co.uk/>

Matteo Cassio

Senior IT Systems Engineer

MCassio at brydenwood.co.uk
+44 (0)20 7253 4772
101 Euston Road
London
NW1 2RA

[cid:image002.png at 01DB6D76.FE445060]<https://www.brydenwood.co.uk/>

[cid:image003.jpg at 01DB6D76.FE445060]<https://www.brydenwood.co.uk/>

[cid:image004.png at 01DB6D76.FE445060]<https://www.linkedin.com/company/brydenwoodtechnology/>[cid:image005.png at 01DB6D76.FE445060]<https://twitter.com/BrydenWood>[cid:image006.png at 01DB6D76.FE445060]<https://www.youtube.com/c/BrydenWoodTech>[cid:image007.png at 01DB6D76.FE445060]<https://www.instagram.com/brydenwoodtech/>[cid:image008.png at 01DB6D76.FE445060]<https://www.facebook.com/brydenwoodtech/>

________________________________

Registered Company Address
Plurenden Manor Farm,
Plurenden Lane,
High Halden,
Kent, TN26 3JW

Bryden Wood
Technology Limited
Registered Company
No 05750083
VAT Registered 876 8921 58

From: QGIS-User <qgis-user-bounces at lists.osgeo.org> On Behalf Of Régis Haubourg via QGIS-User
Sent: 22 January 2025 15:12
To: qgis-user at lists.osgeo.org
Subject: Re: [Qgis-user] QGIS 3.40.2 - suspected vulnerability in Python libraries

Hi Matteo,

thanks for raising this.

As for dependencies vulnerabilities, this depends on the packaging system you use to install QGIS. If you are using the windows installer, can you please open an issue at https://trac.osgeo.org/osgeo4w<https://trac.osgeo.org/osgeo4w>. This requires an osgeo login, that you can obtain at https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/<https://www.osgeo.org/community/getting-started-osgeo/osgeo_userid/>

If you suspect this is related to QGIS core, or this is a critical vulnerability, you can join the security team privately at security at qgis.org<mailto:security at qgis.org>, so that we fix and deploy corrective action before a public disclosure, which is the recommended workflow.

When raising a report from scanner, we will need more details about the exact versions spotted by the scanner, the vulnerability id (aka CVE number) and a copy of the full report.

Take also a close look at the vulnerability score, if above 7 or 8, this becomes urgent. If below, you can just raise us the issue and maybe wait for upgrades to be delivered in the normal workflow.

Finally, keep a critical approach on security. While QGIS server can be exposed on a web server and be very sensitive, but is rarely using windows packaging, QGIS desktop is not supposed to be exposed on the web.

Python ecosystem is full of such vulnerabilities does not make much sense when you are on a desktop software with python scripting capabilities, with basically the ability to wipe or encrypt your disk. We will take care of the packaging, but we need to prioritize urgency too critical issues.

Thanks again for your help here. We are flooded by vulnerability report, and we need to learn how to deal with this as a community. Work is planned on this front to handle this, but every GIS and IT admin will also have to learn this whole security stuff.

Cheers

Régis

On 22/01/2025 13:31, Matteo Cassio via QGIS-User wrote:
Dear QGIS team,

I hope this email finds you well.

Our vulnerability scan detected a vulnerability in the Python libraries in QGIS 3.4.0.2<http://3.4.0.2>.
The report states:
"The version of the Pandas library installed on the remote host has an unpatched exposure. It is, therefore, affected by a code injection vulnerability in the pandas.DataFrame.query function. The function is intended to allow querying the columns of a DataFrame using a boolean expression. A malicious attacker can constructs a malicious query to bypass input validation mechanisms and trigger a code injection vulnerability which can lead to command execution if the code passes untrusted input into self.eval()."

The library is stored in this directory: C:\Program<file:///C:/Program> Files\QGIS 3.40.2\apps\Python312\Lib.

Could you please advice as to whether this is a false positive or a known issue?

Thank you.

Kind regards,

[cid:image001.png at 01DB6D76.FE445060]<https://www.brydenwood.co.uk/>

Matteo Cassio

Senior IT Systems Engineer

MCassio at brydenwood.co.uk<mailto:MCassio at brydenwood.co.uk>
+44 (0)20 7253 4772
101 Euston Road
London
NW1 2RA

[cid:image002.png at 01DB6D76.FE445060]<https://www.brydenwood.co.uk/>

[cid:image003.jpg at 01DB6D76.FE445060]<https://www.brydenwood.co.uk/>

[cid:image004.png at 01DB6D76.FE445060]<https://www.linkedin.com/company/brydenwoodtechnology/>[cid:image005.png at 01DB6D76.FE445060]<https://twitter.com/BrydenWood>[cid:image006.png at 01DB6D76.FE445060]<https://www.youtube.com/c/BrydenWoodTech>[cid:image007.png at 01DB6D76.FE445060]<https://www.instagram.com/brydenwoodtech/>[cid:image008.png at 01DB6D76.FE445060]<https://www.facebook.com/brydenwoodtech/>

________________________________

Registered Company Address
Plurenden Manor Farm,
Plurenden Lane,
High Halden,
Kent, TN26 3JW

Bryden Wood
Technology Limited
Registered Company
No 05750083
VAT Registered 876 8921 58

_______________________________________________

QGIS-User mailing list

QGIS-User at lists.osgeo.org<mailto:QGIS-User at lists.osgeo.org>

List info: https://lists.osgeo.org/mailman/listinfo/qgis-user<https://lists.osgeo.org/mailman/listinfo/qgis-user>

Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user<https://lists.osgeo.org/mailman/listinfo/qgis-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4401 bytes
Desc: image001.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2472 bytes
Desc: image002.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 19516 bytes
Desc: image003.jpg
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 2680 bytes
Desc: image004.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2676 bytes
Desc: image005.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 2412 bytes
Desc: image006.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 3228 bytes
Desc: image007.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 3019 bytes
Desc: image008.png
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0013.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20250123/71e8daa6/attachment-0001.html>