Veracode Vulnerability DatabaseVERACODE:42653Command Injection
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.6%
scancodeio is vulnerable to Command Injection. The vulnerability exists due to the lack of validation in the docker_reference parameter of the fetch_docker_image function of fetch.py, which allows an attacker to append malicious commands through the docker fetch process.
| CPE | Name | Operator | Version |
|---|---|---|---|
| scancodeio | le | 32.5.0 | |
| scancodeio | le | 32.5.0 |
References
github.com/nexB/scancode.io/blob/main/scanpipe/pipes/fetch.py#L185
github.com/nexB/scancode.io/blob/main/scanpipe/pipes/fetch.py#L186
github.com/nexB/scancode.io/commit/07ec0de1964b14bf085a1c9a27ece2b61ab6105c
github.com/nexB/scancode.io/releases/tag/v32.5.1
github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.6%