CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
15.5%
Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph().to_dot_graph
function. A malicious user can provide a command or a script file as a value to the savelayout
argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen
. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.