Publish GHSA-38jr-29fh-w9vm

Author: advisory-database[bot]

advisories/github-reviewed/2024/03/GHSA-38jr-29fh-w9vm/GHSA-38jr-29fh-w9vm.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-38jr-29fh-w9vm",
-  "modified": "2024-03-26T12:58:04Z",
+  "modified": "2025-12-20T00:11:45Z",
   "published": "2024-03-25T19:37:46Z",
   "aliases": [
     "CVE-2024-29189"
   ],
   "summary": "ansys-geometry-core OS Command Injection vulnerability",
-  "details": "subprocess call with shell=True identified, security issue.\n\n#### Code\n\nOn file [src/ansys/geometry/core/connection/product_instance.py](https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428):\n\n```\n403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen:\n404     \"\"\"\n405     Start the program where the path is the first item of the ``args`` array argument.\n406\n407     Parameters\n408     ----------\n409     args : List[str]\n410         List of arguments to be passed to the program. The first list's item shall\n411         be the program path.\n412     local_env : Dict[str,str]\n413         Environment variables to be passed to the program.\n414\n415     Returns\n416     -------\n417     subprocess.Popen\n418         The subprocess object.\n419     \"\"\"\n420      return subprocess.Popen(\n421         args,\n422         shell=os.name != \"nt\",\n423         stdin=subprocess.DEVNULL,\n424         stdout=subprocess.DEVNULL,\n425         stderr=subprocess.DEVNULL,\n426         env=local_env,\n427      )\n428 \n429 \n\n```\n\nUpon calling this method ``_start_program`` directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the ``shell=True`` option.\n\n#### CWE - 78\n\nFor more information see https://cwe.mitre.org/data/definitions/78.html\n\n#### More information\n\nVisit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.\n",
+  "details": "subprocess call with shell=True identified, security issue.\n\n#### Code\n\nOn file [src/ansys/geometry/core/connection/product_instance.py](https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428):\n\n```\n403 def _start_program(args: List[str], local_env: Dict[str, str]) -> subprocess.Popen:\n404     \"\"\"\n405     Start the program where the path is the first item of the ``args`` array argument.\n406\n407     Parameters\n408     ----------\n409     args : List[str]\n410         List of arguments to be passed to the program. The first list's item shall\n411         be the program path.\n412     local_env : Dict[str,str]\n413         Environment variables to be passed to the program.\n414\n415     Returns\n416     -------\n417     subprocess.Popen\n418         The subprocess object.\n419     \"\"\"\n420      return subprocess.Popen(\n421         args,\n422         shell=os.name != \"nt\",\n423         stdin=subprocess.DEVNULL,\n424         stdout=subprocess.DEVNULL,\n425         stderr=subprocess.DEVNULL,\n426         env=local_env,\n427      )\n428 \n429 \n\n```\n\nUpon calling this method ``_start_program`` directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. With this resolution made through #1076 and #1077, we make sure that this method is only called from within the library and we are no longer enabling the ``shell=True`` option.\n\n#### CWE - 78\n\nFor more information see https://cwe.mitre.org/data/definitions/78.html\n\n#### More information\n\nVisit https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html to find out more information.",
   "severity": [
     {
       "type": "CVSS_V3",