CVE-2023-39523

Advisory

Scancodeio 32.5.1 includes a fix for a Command Injection vulnerability in the fetch process of the Docker image.
https://github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f

Affected package

Affected versions

Fixed versions

Vulnerability changelog

--------------------

Security release: This release addresses the security issue detailed below.
We encourage all users of ScanCode.io to upgrade as soon as possible.

- GHSA-2ggp-cmvm-f62f: Command injection in docker image fetch process
The ``fetch_docker_image`` function was subject to potential injection attack.
The user inputs are now sanitized before calling the subprocess function.
https://github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f

---

- Add support for multiple input URLs, and adding multiple pipelines in the project
creation REST API.
https://github.com/nexB/scancode.io/issues/828

- Update the ``fetch_vulnerabilities`` pipe to make the API requests by batch of purls.
https://github.com/nexB/scancode.io/issues/835

- Add vulnerability support for discovered dependencies.
The dependency data is loaded using the ``find_vulnerabilities`` pipeline backed by
a VulnerableCode database.
https://github.com/nexB/scancode.io/issues/835

- Fix root filesystem scanning for installed packages and archived Linux distributions.
Allows the scan to discover system packages from `rpmdb.sqlite` and other sources.
https://github.com/nexB/scancode.io/pull/840

Resources

• https://pypi.org/project/scancodeio
• https://pyup.io/changelogs/scancodeio/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39523
• https://github.com/nexB/scancode.io/security/advisories/GHSA-2ggp-cmvm-f62f
• https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/fetch.py#L185
• https://github.com/nexB/scancode.io/releases/tag/v32.5.1
• https://github.com/nexB/scancode.io/commit/07ec0de1964b14bf085a1c9a27ece2b61ab6105c