Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-41334
Summary
Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. The Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. This issue affects astropy versions 0.2 through 5.0.7, and 5.1rc1 through 5.3.2.
- LOW
- LOCAL
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-77 - Command Injection
A command injection attack involves injecting an operating system command through the data input, which gets executed on the host operating system with the privileges of the victimized application. The impact of a command injection attack may range from loss of data confidentiality and integrity to unauthorized remote access to the hosting system. The attack may cause serious data breaches and system takeover.
References
Advisory Timeline
- Published
