{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-29189","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-03-18T17:07:00.094Z","datePublished":"2024-03-26T02:50:34.984Z","dateUpdated":"2024-08-05T20:27:31.415Z"},"containers":{"cna":{"title":"ansys-geometry-core OS Command Injection vulnerability","problemTypes":[{"descriptions":[{"cweId":"CWE-78","lang":"en","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm","tags":["x_refsource_CONFIRM"],"url":"https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"},{"name":"https://github.com/ansys/pyansys-geometry/pull/1076","tags":["x_refsource_MISC"],"url":"https://github.com/ansys/pyansys-geometry/pull/1076"},{"name":"https://github.com/ansys/pyansys-geometry/pull/1077","tags":["x_refsource_MISC"],"url":"https://github.com/ansys/pyansys-geometry/pull/1077"},{"name":"https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc","tags":["x_refsource_MISC"],"url":"https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"},{"name":"https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f","tags":["x_refsource_MISC"],"url":"https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"},{"name":"https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html","tags":["x_refsource_MISC"],"url":"https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"},{"name":"https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428","tags":["x_refsource_MISC"],"url":"https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"}],"affected":[{"vendor":"ansys","product":"pyansys-geometry","versions":[{"version":">= 0.3.0, < 0.3.3","status":"affected"},{"version":">= 0.4.0, < 0.4.12","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-03-26T02:50:34.984Z"},"descriptions":[{"lang":"en","value":"PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12."}],"source":{"advisory":"GHSA-38jr-29fh-w9vm","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T01:10:54.820Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"},{"name":"https://github.com/ansys/pyansys-geometry/pull/1076","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/ansys/pyansys-geometry/pull/1076"},{"name":"https://github.com/ansys/pyansys-geometry/pull/1077","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/ansys/pyansys-geometry/pull/1077"},{"name":"https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"},{"name":"https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"},{"name":"https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html","tags":["x_refsource_MISC","x_transferred"],"url":"https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"},{"name":"https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"}]},{"affected":[{"vendor":"ansys","product":"pyansys-geometry","cpes":["cpe:2.3:a:ansys:pyansys-geometry:0.3.0:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0.3.0","status":"affected","lessThan":"0.3.3","versionType":"custom"}]},{"vendor":"ansys","product":"pyansys-geometry","cpes":["cpe:2.3:a:ansys:pyansys-geometry:0.4.0:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0.4.0","status":"affected","lessThan":"0.4.12","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-08-05T20:24:46.363776Z","id":"CVE-2024-29189","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-05T20:27:31.415Z"}}]}}