UBUNTU-CVE-2023-41334
- Source
- https://ubuntu.com/security/CVE-2023-41334
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-41334.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2023-41334
- Related
- Published
- 2024-03-18T19:15:00Z
- Modified
- 2024-10-15T14:11:44Z
- Summary
- [none]
- Details
-
Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the
TranformGraph().to_dot_graphfunction. A malicious user can provide a command or a script file as a value to thesavelayoutargument, which will be placed as the first value in a list of arguments passed tosubprocess.Popen. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue. - References
Affected packages
Ubuntu:Pro:18.04:LTS / astropy
Package
- Name
- astropy
- Purl
- pkg:deb/ubuntu/astropy?arch=src?distro=esm-apps/bionic
Ubuntu:20.04:LTS / astropy
Package
- Name
- astropy
- Purl
- pkg:deb/ubuntu/astropy?arch=src?distro=focal
Ubuntu:22.04:LTS / astropy
Package
- Name
- astropy
- Purl
- pkg:deb/ubuntu/astropy?arch=src?distro=jammy
Ubuntu:24.04:LTS / astropy
Package
- Name
- astropy
- Purl
- pkg:deb/ubuntu/astropy?arch=src?distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.0.0-1ubuntu2
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"binary_version": "6.0.0-1ubuntu2",
"binary_name": "astropy-utils"
},
{
"binary_version": "6.0.0-1ubuntu2",
"binary_name": "python-astropy-doc"
},
{
"binary_version": "6.0.0-1ubuntu2",
"binary_name": "python3-astropy"
},
{
"binary_version": "6.0.0-1ubuntu2",
"binary_name": "python3-astropy-dbgsym"
}
]
}