Dear QGIS team, I hope this email finds you well.
Our vulnerability scan detected a vulnerability in the Python libraries in QGIS 3.4.0.2<http://3.4.0.2>. The report states: "The version of the Pandas library installed on the remote host has an unpatched exposure. It is, therefore, affected by a code injection vulnerability in the pandas.DataFrame.query function. The function is intended to allow querying the columns of a DataFrame using a boolean expression. A malicious attacker can constructs a malicious query to bypass input validation mechanisms and trigger a code injection vulnerability which can lead to command execution if the code passes untrusted input into self.eval()." The library is stored in this directory: C:\Program Files\QGIS 3.40.2\apps\Python312\Lib. Could you please advice as to whether this is a false positive or a known issue? Thank you. Kind regards, [cid:[email protected]]<https://www.brydenwood.co.uk/> Matteo Cassio Senior IT Systems Engineer [email protected]<mailto:[email protected]> +44 (0)20 7253 4772 101 Euston Road London NW1 2RA [cid:[email protected]]<https://www.brydenwood.co.uk/> [cid:[email protected]]<https://www.brydenwood.co.uk/> [cid:[email protected]]<https://www.linkedin.com/company/brydenwoodtechnology/>[cid:[email protected]]<https://twitter.com/BrydenWood>[cid:[email protected]]<https://www.youtube.com/c/BrydenWoodTech>[cid:[email protected]]<https://www.instagram.com/brydenwoodtech/>[cid:[email protected]]<https://www.facebook.com/brydenwoodtech/> ________________________________ Registered Company Address Plurenden Manor Farm, Plurenden Lane, High Halden, Kent, TN26 3JW Bryden Wood Technology Limited Registered Company No 05750083 VAT Registered 876 8921 58
_______________________________________________ QGIS-User mailing list [email protected] List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
