Product Research Enterprise Plans Docs

PyPi: Astropy

CVE-2023-41334

Safety vulnerability ID: 66947

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 18, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected package

astropy

Latest version: 7.0.0

Astronomy and astrophysics core library

Affected versions

Fixed versions

Vulnerability changelog

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue. See CVE-2023-41334.

MISC:https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539: https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
MISC:https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5: https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5
MISC:https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf: https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application