GHSA-38JR-29FH-W9VM
Vulnerability from github – Published: 2024-03-25 19:37 – Updated: 2025-12-20 00:11
VLAI?
Summary
ansys-geometry-core OS Command Injection vulnerability
Details
subprocess call with shell=True identified, security issue.
Code
On file src/ansys/geometry/core/connection/product_instance.py:
403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen:
404 """
405 Start the program where the path is the first item of the ``args`` array argument.
406
407 Parameters
408 ----------
409 args : List[str]
410 List of arguments to be passed to the program. The first list's item shall
411 be the program path.
412 local_env : Dict[str,str]
413 Environment variables to be passed to the program.
414
415 Returns
416 -------
417 subprocess.Popen
418 The subprocess object.
419 """
420 return subprocess.Popen(
421 args,
422 shell=os.name != "nt",
423 stdin=subprocess.DEVNULL,
424 stdout=subprocess.DEVNULL,
425 stderr=subprocess.DEVNULL,
426 env=local_env,
427 )
428
429
Upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the shell=True option.
CWE - 78
For more information see https://cwe.mitre.org/data/definitions/78.html
More information
Visit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.
Severity ?
7.4 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansys-geometry-core"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansys-geometry-core"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "0.4.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29189"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-25T19:37:46Z",
"nvd_published_at": "2024-03-26T03:15:13Z",
"severity": "HIGH"
},
"details": "subprocess call with shell=True identified, security issue.\n\n#### Code\n\nOn file [src/ansys/geometry/core/connection/product_instance.py](https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428):\n\n```\n403 def _start_program(args: List[str], local_env: Dict[str, str]) -\u003e subprocess.Popen:\n404 \"\"\"\n405 Start the program where the path is the first item of the ``args`` array argument.\n406\n407 Parameters\n408 ----------\n409 args : List[str]\n410 List of arguments to be passed to the program. The first list\u0027s item shall\n411 be the program path.\n412 local_env : Dict[str,str]\n413 Environment variables to be passed to the program.\n414\n415 Returns\n416 -------\n417 subprocess.Popen\n418 The subprocess object.\n419 \"\"\"\n420 return subprocess.Popen(\n421 args,\n422 shell=os.name != \"nt\",\n423 stdin=subprocess.DEVNULL,\n424 stdout=subprocess.DEVNULL,\n425 stderr=subprocess.DEVNULL,\n426 env=local_env,\n427 )\n428 \n429 \n\n```\n\nUpon calling this method ``_start_program`` directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the ``shell=True`` option.\n\n#### CWE - 78\n\nFor more information see https://cwe.mitre.org/data/definitions/78.html\n\n#### More information\n\nVisit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.",
"id": "GHSA-38jr-29fh-w9vm",
"modified": "2025-12-20T00:11:45Z",
"published": "2024-03-25T19:37:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29189"
},
{
"type": "WEB",
"url": "https://github.com/ansys/pyansys-geometry/pull/1076"
},
{
"type": "WEB",
"url": "https://github.com/ansys/pyansys-geometry/pull/1077"
},
{
"type": "WEB",
"url": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"
},
{
"type": "WEB",
"url": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"
},
{
"type": "WEB",
"url": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansys/pyansys-geometry"
},
{
"type": "WEB",
"url": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ansys-geometry-core OS Command Injection vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…