CVE-2023-39523

Name of the Vulnerable Software and Affected Versions ScanCode.io versions prior to 32.5.1

Description The issue is related to a command injection vulnerability in the docker fetch process. This vulnerability allows malicious commands to be appended to the docker reference parameter. The docker reference variable is passed to the get docker image platform function, which constructs a shell command with the passed docker reference. The pipes.run command then executes the shell command without any prior sanitization, making the function vulnerable to command injections. A malicious user who can create or add inputs to a project can inject commands, potentially causing damage to the server or container, even though the command injections are blind and do not provide direct feedback without logs.

Recommendations For versions prior to 32.5.1, the docker reference input should be sanitized to avoid command injections. As a workaround, avoid creating commands with user-controlled input directly. Update to version 32.5.1 or later, which contains a patch for this issue.