Search
Find a vulnerability
Search criteria
2 vulnerabilities found for pyansys_geometry by ansys
CVE-2024-29189 (GCVE-0-2024-29189)
Vulnerability from nvd – Published: 2024-03-26 02:50 – Updated: 2024-08-05 20:27
VLAI
Title
ansys-geometry-core OS Command Injection vulnerability
Summary
PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12.
Severity
7.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/ansys/pyansys-geometry/securit… | x_refsource_CONFIRM |
| https://github.com/ansys/pyansys-geometry/pull/1076 | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/pull/1077 | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/commit/… | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/commit/… | x_refsource_MISC |
| https://bandit.readthedocs.io/en/1.7.8/plugins/b6… | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/blob/52… | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| ansys | pyansys-geometry |
Affected:
>= 0.3.0, < 0.3.3
Affected: >= 0.4.0, < 0.4.12 |
|
| ansys | pyansys-geometry |
Affected:
0.3.0 , < 0.3.3
(custom)
cpe:2.3:a:ansys:pyansys-geometry:0.3.0:*:*:*:*:*:*:* |
|
| ansys | pyansys-geometry |
Affected:
0.4.0 , < 0.4.12
(custom)
cpe:2.3:a:ansys:pyansys-geometry:0.4.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1076",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1076"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1077",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1077"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"
},
{
"name": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"
},
{
"name": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ansys:pyansys-geometry:0.3.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyansys-geometry",
"vendor": "ansys",
"versions": [
{
"lessThan": "0.3.3",
"status": "affected",
"version": "0.3.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ansys:pyansys-geometry:0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyansys-geometry",
"vendor": "ansys",
"versions": [
{
"lessThan": "0.4.12",
"status": "affected",
"version": "0.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:24:46.363776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:27:31.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyansys-geometry",
"vendor": "ansys",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.0, \u003c 0.3.3"
},
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 0.4.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-26T02:50:34.984Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1076",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1076"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1077",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1077"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"
},
{
"name": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"
},
{
"name": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"
}
],
"source": {
"advisory": "GHSA-38jr-29fh-w9vm",
"discovery": "UNKNOWN"
},
"title": "ansys-geometry-core OS Command Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29189",
"datePublished": "2024-03-26T02:50:34.984Z",
"dateReserved": "2024-03-18T17:07:00.094Z",
"dateUpdated": "2024-08-05T20:27:31.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29189 (GCVE-0-2024-29189)
Vulnerability from cvelistv5 – Published: 2024-03-26 02:50 – Updated: 2024-08-05 20:27
VLAI
Title
ansys-geometry-core OS Command Injection vulnerability
Summary
PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12.
Severity
7.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/ansys/pyansys-geometry/securit… | x_refsource_CONFIRM |
| https://github.com/ansys/pyansys-geometry/pull/1076 | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/pull/1077 | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/commit/… | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/commit/… | x_refsource_MISC |
| https://bandit.readthedocs.io/en/1.7.8/plugins/b6… | x_refsource_MISC |
| https://github.com/ansys/pyansys-geometry/blob/52… | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| ansys | pyansys-geometry |
Affected:
>= 0.3.0, < 0.3.3
Affected: >= 0.4.0, < 0.4.12 |
|
| ansys | pyansys-geometry |
Affected:
0.3.0 , < 0.3.3
(custom)
cpe:2.3:a:ansys:pyansys-geometry:0.3.0:*:*:*:*:*:*:* |
|
| ansys | pyansys-geometry |
Affected:
0.4.0 , < 0.4.12
(custom)
cpe:2.3:a:ansys:pyansys-geometry:0.4.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1076",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1076"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1077",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1077"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"
},
{
"name": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"
},
{
"name": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ansys:pyansys-geometry:0.3.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyansys-geometry",
"vendor": "ansys",
"versions": [
{
"lessThan": "0.3.3",
"status": "affected",
"version": "0.3.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ansys:pyansys-geometry:0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyansys-geometry",
"vendor": "ansys",
"versions": [
{
"lessThan": "0.4.12",
"status": "affected",
"version": "0.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:24:46.363776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:27:31.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyansys-geometry",
"vendor": "ansys",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.0, \u003c 0.3.3"
},
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 0.4.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-26T02:50:34.984Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1076",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1076"
},
{
"name": "https://github.com/ansys/pyansys-geometry/pull/1077",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/pull/1077"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"
},
{
"name": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"
},
{
"name": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"
},
{
"name": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"
}
],
"source": {
"advisory": "GHSA-38jr-29fh-w9vm",
"discovery": "UNKNOWN"
},
"title": "ansys-geometry-core OS Command Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29189",
"datePublished": "2024-03-26T02:50:34.984Z",
"dateReserved": "2024-03-18T17:07:00.094Z",
"dateUpdated": "2024-08-05T20:27:31.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}