CVE-2023-39523

Summary

CVE-2023-39523 is a command injection vulnerability affecting ScanCode.io's server-side software composition analysis tool, ScanPipe, prior to version 32.5.1. The issue arises from the `docker_fetch` process, where the `docker_reference` parameter is user-controllable and can be appended with malicious commands. The `get_docker_image_platform` function constructs a shell command using the `docker_reference`, and the `pipes.run_command` executes it without sanitization, enabling command injections. Malicious users can inject commands by adding a semicolon and additional commands after a `docker://` reference. This vulnerability can potentially cause damage to the server or container, although direct feedback to the user is limited. Version 32.5.1 includes a patch that sanitizes the `docker_reference` input and recommends avoiding the creation of commands with user-controlled input directly.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.