Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2023-0378
### Vulnerable Library - astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
A Remote Code Execution can be acheived via TranformGraph().to_dot_graph function in astropy prior to 5.3.3. Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be executed successfully.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Astronomy and astrophysics core library
Library home page: https://files.pythonhosted.org/packages/39/6e/04fba8c047000e3d9f09879f4e24ff805edbc4bb3943ec3a31e18ed6cad4/astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Path to dependency file: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt
Path to vulnerable library: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt
Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-41334
### Vulnerable Library - astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlAstronomy and astrophysics core library
Library home page: https://files.pythonhosted.org/packages/39/6e/04fba8c047000e3d9f09879f4e24ff805edbc4bb3943ec3a31e18ed6cad4/astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Path to dependency file: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt
Path to vulnerable library: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt
Dependency Hierarchy: - :x: **astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36
Found in base branch: main
### Vulnerability DetailsAstropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.
Publish Date: 2024-03-18
URL: CVE-2023-41334
### CVSS 3 Score Details (8.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf
Release Date: 2024-03-18
Fix Resolution: 5.3.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)WS-2023-0378
### Vulnerable Library - astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlAstronomy and astrophysics core library
Library home page: https://files.pythonhosted.org/packages/39/6e/04fba8c047000e3d9f09879f4e24ff805edbc4bb3943ec3a31e18ed6cad4/astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Path to dependency file: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt
Path to vulnerable library: /sidra_chain_integration/src/space_exploration/project/Lynx/requirements.txt
Dependency Hierarchy: - :x: **astropy-4.3.1-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36
Found in base branch: main
### Vulnerability DetailsA Remote Code Execution can be acheived via TranformGraph().to_dot_graph function in astropy prior to 5.3.3. Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen. Although an error will be raised, the command or script will be executed successfully.
Publish Date: 2023-10-13
URL: WS-2023-0378
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.com/bounties/c183c24b-cd8d-456a-b7ad-737f4cb24e87/
Release Date: 2023-10-13
Fix Resolution: 5.3.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)