{ "schema_version": "1.4.0", "id": "GHSA-38jr-29fh-w9vm", "modified": "2024-03-26T12:58:04Z", "published": "2024-03-25T19:37:46Z", "aliases": [ "CVE-2024-29189" ], "summary": "ansys-geometry-core OS Command Injection vulnerability", "details": "subprocess call with shell=True identified, security issue.\n\n#### Code\n\nOn file [src/ansys/geometry/core/connection/product_instance.py](https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428):\n\n```\n403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen:\n404 \"\"\"\n405 Start the program where the path is the first item of the ``args`` array argument.\n406\n407 Parameters\n408 ----------\n409 args : List[str]\n410 List of arguments to be passed to the program. The first list's item shall\n411 be the program path.\n412 local_env : Dict[str,str]\n413 Environment variables to be passed to the program.\n414\n415 Returns\n416 -------\n417 subprocess.Popen\n418 The subprocess object.\n419 \"\"\"\n420 return subprocess.Popen(\n421 args,\n422 shell=os.name != \"nt\",\n423 stdin=subprocess.DEVNULL,\n424 stdout=subprocess.DEVNULL,\n425 stderr=subprocess.DEVNULL,\n426 env=local_env,\n427 )\n428 \n429 \n\n```\n\nUpon calling this method ``_start_program`` directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the ``shell=True`` option.\n\n#### CWE - 78\n\nFor more information see https://cwe.mitre.org/data/definitions/78.html\n\n#### More information\n\nVisit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "ansys-geometry-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.3.0" }, { "fixed": "0.3.3" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "ansys-geometry-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.4.0" }, { "fixed": "0.4.12" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29189" }, { "type": "WEB", "url": "https://github.com/ansys/pyansys-geometry/pull/1076" }, { "type": "WEB", "url": "https://github.com/ansys/pyansys-geometry/pull/1077" }, { "type": "WEB", "url": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc" }, { "type": "WEB", "url": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f" }, { "type": "WEB", "url": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html" }, { "type": "PACKAGE", "url": "https://github.com/ansys/pyansys-geometry" }, { "type": "WEB", "url": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428" } ], "database_specific": { "cwe_ids": [ "CWE-78" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-25T19:37:46Z", "nvd_published_at": "2024-03-26T03:15:13Z" } }