{"vulnerability": "cve-2023-39523", "sightings": [{"uuid": "cd340e64-a6dd-412e-8331-de5315642032", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-39523", "type": "published-proof-of-concept", "source": "https://t.me/MrVGunz/877", "content": "CVE-2023-39523 : Command Injection in docker fetch process\n\nPossible command injection in the docker pull process as it allows malicious commands to be added to the docker_reference parameter.\n\n PoC : https://github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f", "creation_timestamp": "2023-08-28T22:47:21.000000Z"}, {"uuid": "3ee44e56-053d-4e57-9631-69f5d7a164ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2023-39523", "type": "published-proof-of-concept", "source": "https://github.com/aboutcode-org/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f", "content": "", "creation_timestamp": "2023-08-07T16:09:20.000000Z"}, {"uuid": "6f7aeb35-8686-4cd1-80ca-b3f24caabc46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-39523", "type": "seen", "source": "https://t.me/cibsecurity/67928", "content": "\u203c CVE-2023-39523 \u203c\n\nScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the `docker_reference` parameter.In the function `scanpipe/pipes/fetch.py:fetch_docker_image` the parameter `docker_reference` is user controllable. The `docker_reference` variable is then passed to the vulnerable function `get_docker_image_platform`. However, the `get_docker_image_plaform` function constructs a shell command with the passed `docker_reference`. The `pipes.run_command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of `docker://;`, it would allow appending malicious commands.Version 32.5.1 contains a patch for this issue. The `docker_reference` input should be sanitized to avoid command injections and, as a workaround, one may avoid creating commands with user controlled input directly.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-08T00:13:38.000000Z"}]}