logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-29189 ansys-geometry-core

Package

Manager: pip
Name: ansys-geometry-core
Vulnerable Version: >=0.3.0 <0.3.3 || >=0.4.0 <0.4.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00084 pctl0.25407

Details

ansys-geometry-core OS Command Injection vulnerability subprocess call with shell=True identified, security issue. #### Code On file [src/ansys/geometry/core/connection/product_instance.py](https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428): ``` 403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen: 404 """ 405 Start the program where the path is the first item of the ``args`` array argument. 406 407 Parameters 408 ---------- 409 args : List[str] 410 List of arguments to be passed to the program. The first list's item shall 411 be the program path. 412 local_env : Dict[str,str] 413 Environment variables to be passed to the program. 414 415 Returns 416 ------- 417 subprocess.Popen 418 The subprocess object. 419 """ 420 return subprocess.Popen( 421 args, 422 shell=os.name != "nt", 423 stdin=subprocess.DEVNULL, 424 stdout=subprocess.DEVNULL, 425 stderr=subprocess.DEVNULL, 426 env=local_env, 427 ) 428 429 ``` Upon calling this method ``_start_program`` directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the ``shell=True`` option. #### CWE - 78 For more information see https://cwe.mitre.org/data/definitions/78.html #### More information Visit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.

Metadata

Created: 2024-03-25T19:37:46Z
Modified: 2024-03-26T12:58:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-38jr-29fh-w9vm/GHSA-38jr-29fh-w9vm.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-38jr-29fh-w9vm
Finding: F404
Auto approve: 1