Bug 2267336 (CVE-2024-2243) - CVE-2024-2243 csmock: command injection vulnerability in csmock-plugin-snyk
Summary: CVE-2024-2243 csmock: command injection vulnerability in csmock-plugin-snyk
Status: NEW
Alias: CVE-2024-2243
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2270495 2270496
Blocks: 2267332
TreeView+ depends on / blocked
Reported: 2024-03-01 17:23 UTC by Robb Gatica
Modified: 2024-04-09 09:47 UTC (History)
2 users (show)

Fixed In Version: csmock-3.5.3
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in csmock where a regular user of the OSH service (anyone with a valid Kerberos ticket) can use the vulnerability to disclose the confidential Snyk authentication token and to run arbitrary commands on OSH workers.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Robb Gatica 2024-03-01 17:23:45 UTC
csmock, which is used by the OpenScanHub (OSH) service, is vulnerable to a command injection attack. The command is isolated by mock (which internally uses systemd-nspawn) but the Snyk authentication token is accessible while the command is being executed:

$ csmock -r rhel-9-x86_64 -t snyk -f python-certifi-2018.10.15-4.el8ost.src.rpm --snyk-code-test-opts='--help; cat /builddir/.config/configstore/snyk.json #'

This vulnerability was introduced by the following commit:

Comment 1 Robb Gatica 2024-03-20 15:32:36 UTC
Created csmock tracking bugs for this issue:

Affects: epel-all [bug 2270495]
Affects: fedora-all [bug 2270496]

Note You need to log in before you can comment on or make changes to this bug.