CVE-2023-41334

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`.  Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.4 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
8.4 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Debian logo
Debian Releases
Debian Product
Codename
astropy
bullseye
no-dsa
bookworm
no-dsa
sid
7.0.0-1
fixed
trixie
7.0.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
astropy
oracular
not-affected
noble
not-affected
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
Common Weakness Enumeration
References
https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5
https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf
https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5
https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf