https://db.gcve.eu/sightings/feed 2026-06-07T03:02:57.794994+00:00 Vulnerability-Lookup info@gcve.eu python-feedgen Contains only the most 10 recent sightings. https://db.gcve.eu/sighting/6f7aeb35-8686-4cd1-80ca-b3f24caabc46/export 2026-06-07T03:02:58.181990+00:00 cedric https://db.gcve.eu/user/cedric {"uuid": "6f7aeb35-8686-4cd1-80ca-b3f24caabc46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-39523", "type": "seen", "source": "https://t.me/cibsecurity/67928", "content": "\u203c CVE-2023-39523 \u203c\n\nScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the `docker_reference` parameter.In the function `scanpipe/pipes/fetch.py:fetch_docker_image` the parameter `docker_reference` is user controllable. The `docker_reference` variable is then passed to the vulnerable function `get_docker_image_platform`. However, the `get_docker_image_plaform` function constructs a shell command with the passed `docker_reference`. The `pipes.run_command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of `docker://;`, it would allow appending malicious commands.Version 32.5.1 contains a patch for this issue. The `docker_reference` input should be sanitized to avoid command injections and, as a workaround, one may avoid creating commands with user controlled input directly.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-08T00:13:38.000000Z"} 2023-08-08T00:13:38+00:00 https://db.gcve.eu/sighting/cd340e64-a6dd-412e-8331-de5315642032/export 2026-06-07T03:02:58.180500+00:00 cedric https://db.gcve.eu/user/cedric {"uuid": "cd340e64-a6dd-412e-8331-de5315642032", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-39523", "type": "published-proof-of-concept", "source": "https://t.me/MrVGunz/877", "content": "CVE-2023-39523 : Command Injection in docker fetch process\n\nPossible command injection in the docker pull process as it allows malicious commands to be added to the docker_reference parameter.\n\n PoC : https://github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f", "creation_timestamp": "2023-08-28T22:47:21.000000Z"} 2023-08-28T22:47:21+00:00