GHSA-38jr-29fh-w9vm

Suggest an improvement
Source
https://github.com/advisories/GHSA-38jr-29fh-w9vm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-38jr-29fh-w9vm/GHSA-38jr-29fh-w9vm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-38jr-29fh-w9vm
Aliases
Published
2024-03-25T19:37:46Z
Modified
2024-03-26T13:01:26.187180Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ansys-geometry-core OS Command Injection vulnerability
Details

subprocess call with shell=True identified, security issue.

Code

On file src/ansys/geometry/core/connection/product_instance.py:

403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen:
404     """
405     Start the program where the path is the first item of the ``args`` array argument.
406
407     Parameters
408     ----------
409     args : List[str]
410         List of arguments to be passed to the program. The first list's item shall
411         be the program path.
412     local_env : Dict[str,str]
413         Environment variables to be passed to the program.
414
415     Returns
416     -------
417     subprocess.Popen
418         The subprocess object.
419     """
420      return subprocess.Popen(
421         args,
422         shell=os.name != "nt",
423         stdin=subprocess.DEVNULL,
424         stdout=subprocess.DEVNULL,
425         stderr=subprocess.DEVNULL,
426         env=local_env,
427      )
428 
429 

Upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the shell=True option.

CWE - 78

For more information see https://cwe.mitre.org/data/definitions/78.html

More information

Visit https://bandit.readthedocs.io/en/1.7.8/plugins/b602subprocesspopenwithshellequalstrue.html to find out more information.

Database specific
{
    "nvd_published_at": "2024-03-26T03:15:13Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-25T19:37:46Z"
}
References

Affected packages

PyPI / ansys-geometry-core

Package

Name
ansys-geometry-core
View open source insights on deps.dev
Purl
pkg:pypi/ansys-geometry-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.3.0
Fixed
0.3.3

Affected versions

0.*

0.3.0
0.3.1
0.3.2

PyPI / ansys-geometry-core

Package

Name
ansys-geometry-core
View open source insights on deps.dev
Purl
pkg:pypi/ansys-geometry-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.4.0
Fixed
0.4.12

Affected versions

0.*

0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11