Lucene search

[email protected]NVD:CVE-2023-35932

HistoryJun 23, 2023 - 10:15 p.m.

CVE-2023-35932

2023-06-2322:15:08

CWE-1284

CWE-77

[email protected]

web.nvd.nist.gov

cve-2023-35932

genome assembly

annotation

comparative genomics

configuration injection

command injection

shell code execution

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

48.1%

JSON

jcvi is a Python library to facilitate genome assembly, annotation, and comparative genomics. A configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lead to a command injection. The impact of a configuration injection may vary. Under some conditions, it may lead to command injection if there is for instance shell code execution from the configuration file values. This vulnerability does not currently have a fix.

Affected configurations

Nvd

Node

jcvi_projectjcviRange≤1.3.5

VendorProductVersionCPE
jcvi_projectjcvi*cpe:2.3:a:jcvi_project:jcvi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
jcvi_project	jcvi	*	cpe:2.3:a:jcvi_project:jcvi::::::::

References

github.com/tanghaibao/jcvi/blob/cede6c65c8e7603cb266bc3395ac8f915ea9eac7/jcvi/apps/base.py#LL2227C1-L2228C41

github.com/tanghaibao/jcvi/security/advisories/GHSA-x49m-3cw7-gq5q

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

48.1%

JSON

Related for NVD:CVE-2023-35932

cve1 osv2 prion1 veracode1 cvelist1 github1