CVE-2024-29189

Name of the Vulnerable Software and Affected Versions PyAnsys Geometry versions prior to 0.3.3 PyAnsys Geometry versions prior to 0.4.12

Description The issue concerns a Python client library for the Ansys Geometry service and other CAD Ansys products. Upon calling the start program method directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This is due to a subprocess call with shell=True identified as a security issue in the file src/ansys/geometry/core/connection/product instance.py. The method is supposed to start a program with the given arguments and environment variables, but the use of shell=True allows for potential command execution.

Recommendations For PyAnsys Geometry versions prior to 0.3.3, update to version 0.3.3 or later to resolve the issue. For PyAnsys Geometry versions prior to 0.4.12, update to version 0.4.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the start program method until a patch is available. Avoid using the shell=True option in the subprocess.Popen call to minimize the risk of exploitation.