CVE-2023-22671

Name of the Vulnerable Software and Affected Versions NSA Ghidra versions 10.2.2 and earlier

Description The issue arises from the Ghidra/RuntimeScripts/Linux/support/launch.sh script in NSA Ghidra, which passes user-provided input into eval, leading to command injection when analyzeHeadless is called with untrusted input.

Recommendations For NSA Ghidra versions 10.2.2 and earlier, consider disabling the analyzeHeadless function when dealing with untrusted input until a patch is available. Restrict access to the launch.sh script to minimize the risk of exploitation. Avoid using untrusted input when calling analyzeHeadless to prevent command injection.