CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

GNOME OCRFeeder before 0.8.4 allows OS command injection via shell metacharacters in a PDF or image filename.

Skip to content

GitLab 

**Do not invoke commands through shell.**

*   Review changes
    

*   
*   Download
    
*   
*   

Executing shell commands through mechanisms such as os.system() or subprocess.run(shell=True) with user-controllable input is prone to arbitrary shell command injection. In this particular case, a malicious actor controlling any input name, either in PDF or image form, can force ocrfeeder to execute shell commands embedded in the file name. While a workaround for #20 (closed), mentioning problems opening files with special characters, was introduced in 5286120c, this was not applied to every subprocess invocation. Furthermore, it is good practice to make use of the parameterization of arguments available in the subprocess package instead of relying on character escaping alone, avoiding shell invocation completely. This minimizes the attack surface.

Fixes #82

Headline

CVE-2022-27811: Do not invoke commands through shell. (!13) · Merge requests · GNOME / ocrfeeder · GitLab

CVE: Latest News