CVE-2023-41334

Exploit

EPSS 2.4%
Veröffentlicht 18.03.2024 19:15:05
Zuletzt bearbeitet 05.12.2025 16:44:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`.  Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Astropy ≫ Astropy Version5.3.2 SwPlatformpython

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.4%	0.845

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.4	2.5	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539

Product

https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5

Patch

https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-41334

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-41334

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-41334

EUVD