CVE-2023-41334— Astropy 安全漏洞

astropy vulnerable to RCE in TranformGraph().to_dot_graph function

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

在命令中使用的特殊元素转义处理不恰当(命令注入)

Astropy 安全漏洞

Astropy是一个 Python 天文学项目，旨在促进 Python 天文学包之间的互操作性。 Astropy 5.3.2版本存在安全漏洞，该漏洞源于函数TranformGraph（）.to_dot_graph存在输入验证不当问题，导致存在远程代码执行漏洞。

N/A

N/A