Bug 2267336 (CVE-2024-2243) - CVE-2024-2243 csmock: command injection vulnerability in csmock-plugin-snyk
Summary: CVE-2024-2243 csmock: command injection vulnerability in csmock-plugin-snyk
Keywords:
Status: NEW
Alias: CVE-2024-2243
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270495 2270496
Blocks: 2267332
TreeView+ depends on / blocked
 
Reported: 2024-03-01 17:23 UTC by Robb Gatica
Modified: 2024-04-09 09:47 UTC (History)
2 users (show)

Fixed In Version: csmock-3.5.3
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in csmock where a regular user of the OSH service (anyone with a valid Kerberos ticket) can use the vulnerability to disclose the confidential Snyk authentication token and to run arbitrary commands on OSH workers.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2024-03-01 17:23:45 UTC 
csmock, which is used by the OpenScanHub (OSH) service, is vulnerable to a command injection attack. The command is isolated by mock (which internally uses systemd-nspawn) but the Snyk authentication token is accessible while the command is being executed:

$ csmock -r rhel-9-x86_64 -t snyk -f python-certifi-2018.10.15-4.el8ost.src.rpm --snyk-code-test-opts='--help; cat /builddir/.config/configstore/snyk.json #'
[...]
{
        "api": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

This vulnerability was introduced by the following commit:
https://github.com/csutils/csmock/commit/73eddc138c8e9c97246dd2d12ad30a2a13bea3f4
Comment 1 Robb Gatica 2024-03-20 15:32:36 UTC 
Created csmock tracking bugs for this issue:

Affects: epel-all [bug 2270495]
Affects: fedora-all [bug 2270496]
Comment 2 Kamil Dudka 2024-03-20 16:17:30 UTC 
upstream fix: https://github.com/csutils/csmock/commit/b3503d48696cb2ec8eb2fb379fb57c141f08e8da
Note You need to log in before you can comment on or make changes to this bug.