CVE-2023-35932

HIGH

jcvi - Command Injection

Title source: llm

Description

jcvi is a Python library to facilitate genome assembly, annotation, and comparative genomics. A configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lead to a command injection. The impact of a configuration injection may vary. Under some conditions, it may lead to command injection if there is for instance shell code execution from the configuration file values. This vulnerability does not currently have a fix.

References (2)

[Vendor Advisory] https://github.com/tanghaibao/jcvi/security/advisories/GHSA-x49m-3cw7-gq5q

[Product] https://github.com/tanghaibao/jcvi/blob/cede6c65c8e7603cb266bc3395ac8f915ea9eac7/jcvi/apps/base.py#LL2227C1-L2228C41

View Writeup ZIP pw:eip

Scores

CVSS v3 7.1

EPSS 0.0086

EPSS Percentile 75.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-1284 CWE-77

Status published

Products (2)

jcvi_project/jcvi < 1.3.5

pypi/jcvi 0PyPI

Published Jun 23, 2023

Tracked Since Feb 18, 2026