CVE-2023-35932

2023-06-2322:15:08

CWE-1284

CWE-77

[email protected]

web.nvd.nist.gov

jcvi

python library

configuration injection

command injection

cve-2023-35932

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.9%

JSON

jcvi is a Python library to facilitate genome assembly, annotation, and comparative genomics. A configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lead to a command injection. The impact of a configuration injection may vary. Under some conditions, it may lead to command injection if there is for instance shell code execution from the configuration file values. This vulnerability does not currently have a fix.

Affected configurations

Vulners

NVD

Node

tanghaibaojcviRange≤1.3.5

CPENameOperatorVersion
jcvi_project:jcvijcvi project jcvile1.3.5

CPE	Name	Operator	Version
jcvi_project:jcvi	jcvi project jcvi	le	1.3.5

CNA Affected

[
  {
    "vendor": "tanghaibao",
    "product": "jcvi",
    "versions": [
      {
        "version": "<= 1.3.5",
        "status": "affected"
      }
    ]
  }
]