Robpasmue

**Name of the Vulnerable Software and Affected Versions** PyAnsys Geometry versions prior to 0.3.3 PyAnsys Geometry versions prior to 0.4.12 **Description** The issue concerns a Python client library for the Ansys Geometry service and other CAD Ansys products. Upon calling the ` start program` method directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This is due to a subprocess call with `shell=True` identified as a security issue in the file `src/ansys/geometry/core/connection/product instance.py`. The method is supposed to start a program with the given arguments and environment variables, but the use of `shell=True` allows for potential command execution. **Recommendations** For PyAnsys Geometry versions prior to 0.3.3, update to version 0.3.3 or later to resolve the issue. For PyAnsys Geometry versions prior to 0.4.12, update to version 0.4.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the ` start program` method until a patch is available. Avoid using the `shell=True` option in the `subprocess.Popen` call to minimize the risk of exploitation.