cve/2023/CVE-2023-39523.md

### [CVE-2023-39523](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39523)
![](https://img.shields.io/static/v1?label=Product&message=scancode.io&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%2032.5.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-77%3A%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20a%20Command%20('Command%20Injection')&color=brighgreen)

### Description

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the `docker_reference` parameter.In the function `scanpipe/pipes/fetch.py:fetch_docker_image` the parameter `docker_reference` is user controllable. The `docker_reference` variable is then passed to the vulnerable function `get_docker_image_platform`.  However, the `get_docker_image_plaform` function constructs a shell command with the passed `docker_reference`. The `pipes.run_command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of `docker://;`, it would allow appending malicious commands.Version 32.5.1 contains a patch for this issue. The `docker_reference` input should be sanitized to avoid command injections and, as a workaround, one may avoid creating commands with user controlled input directly.

### POC

#### Reference
- https://github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f

#### Github
No PoCs found on GitHub currently.
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2023-39523](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39523)`
			`![](https://img.shields.io/static/v1?label=Product&message=scancode.io&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%2032.5.1%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-77%3A%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20a%20Command%20('Command%20Injection')&color=brighgreen)`

			`### Description`

			ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the `docker_reference` parameter.In the function `scanpipe/pipes/fetch.py:fetch_docker_image` the parameter `docker_reference` is user controllable. The `docker_reference` variable is then passed to the vulnerable function `get_docker_image_platform`. However, the `get_docker_image_plaform` function constructs a shell command with the passed `docker_reference`. The `pipes.run_command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of `docker://;`, it would allow appending malicious commands.Version 32.5.1 contains a patch for this issue. The `docker_reference` input should be sanitized to avoid command injections and, as a workaround, one may avoid creating commands with user controlled input directly.

			`### POC`

			`#### Reference`
			`- https://github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f`

			`#### Github`
			`No PoCs found on GitHub currently.`