CVE-2023-41334

2024-03-1819:15:05

Google

osv.dev

astropy

python

astronomy

remote code execution

improper input validation

transformgraph

subprocess.popen

8.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph().to_dot_graph function. A malicious user can provide a command or a script file as a value to the savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

CPENameOperatorVersion
astropyeq0.3b1
astropyeq5.1.de
astropyeq5.3
astropyeq0.4rc1
astropyeq0.4rc2
astropyeq5.3rc1
astropyeq0.1
astropyeq0.2rc1
astropyeq0.2
astropyeq4.2.de