CVE-2023-41334

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41334

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41334.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-41334

Aliases

GHSA-h2x6-5jx5-46hf

Related

Published

2024-03-18T19:15:05Z

Modified

2024-10-12T11:05:02.571517Z

Summary

[none]

Details

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph().to_dot_graph function. A malicious user can provide a command or a script file as a value to the savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

References

Affected packages

Debian:11 / astropy

Package

Name: astropy
Purl: pkg:deb/debian/astropy?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.2-6

4.3~rc1-1

4.3~rc1-2

4.3.1-1

4.3.1-2

4.3.1-3

4.3.1-4

5.*

5.0~rc1-1

5.0~rc1-2

5.0~rc1-3

5.0~rc1-4

5.0~rc1-5

5.0~rc2-1

5.0-1

5.0.1-1

5.0.2-1

5.0.2-2

5.0.3-1

5.0.4-1

5.1~rc1-1

5.1~rc1-2

5.1~rc1-3

5.1-1

5.1-2

5.1-3

5.1-4

5.1.1-1

5.2~rc1-1

5.2-1

5.2.1-1

5.2.1-2

5.3~rc1-1

5.3-1

5.3.1-1

5.3.1-2

5.3.2-1

5.3.3-1

5.3.4-1

5.3.4-2

6.*

6.0.0~rc1-1

6.0.0~rc2-1

6.0.0~rc2-2

6.0.0-1

6.0.1-1

6.0.1-2

6.0.1-3

6.0.1-4

6.1.1-1

6.1.2-1

6.1.3-1

6.1.4-1

6.1.4-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / astropy

Package

Name: astropy
Purl: pkg:deb/debian/astropy?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.2.1-2

5.3~rc1-1

5.3-1

5.3.1-1

5.3.1-2

5.3.2-1

5.3.3-1

5.3.4-1

5.3.4-2

6.*

6.0.0~rc1-1

6.0.0~rc2-1

6.0.0~rc2-2

6.0.0-1

6.0.1-1

6.0.1-2

6.0.1-3

6.0.1-4

6.1.1-1

6.1.2-1

6.1.3-1

6.1.4-1

6.1.4-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / astropy

Package

Name: astropy
Purl: pkg:deb/debian/astropy?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.3-1

Affected versions

5.*

5.2.1-2

5.3~rc1-1

5.3-1

5.3.1-1

5.3.1-2

5.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/astropy/astropy

Affected ranges

Type: GIT
Repo: https://github.com/astropy/astropy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

22057d37b1313f5f5a9b5783df0a091d978dccb5

Affected versions

v0.*

v0.1

v0.2

v0.2b1

v0.2b2

v0.2rc1

v0.3b1

v0.3rc1

v0.4

v0.4rc1

v0.4rc2

v1.*

v1.0rc1

v4.*

v4.1.dev

v4.2.dev

v4.3.dev

v5.*

v5.0.dev

v5.1.dev

v5.2.dev

v5.3

v5.3.1

v5.3.2

v5.3.dev

v5.3rc1