{"id":"CVE-2024-29189","summary":"ansys-geometry-core OS Command Injection vulnerability","details":"PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12.","aliases":["GHSA-38jr-29fh-w9vm"],"modified":"2026-04-18T04:12:31.835075Z","published":"2024-03-26T02:50:34.984Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29189.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-78"]},"references":[{"type":"WEB","url":"https://bandit.readthedocs.io/en/1.7.8/plugins/b602_subprocess_popen_with_shell_equals_true.html"},{"type":"WEB","url":"https://github.com/ansys/pyansys-geometry/blob/52cba1737a8a7812e5430099f715fa2160ec007b/src/ansys/geometry/core/connection/product_instance.py#L403-L428"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29189.json"},{"type":"ADVISORY","url":"https://github.com/ansys/pyansys-geometry/security/advisories/GHSA-38jr-29fh-w9vm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29189"},{"type":"FIX","url":"https://github.com/ansys/pyansys-geometry/commit/902071701c4f3a8258cbaa46c28dc0a65442d1bc"},{"type":"FIX","url":"https://github.com/ansys/pyansys-geometry/commit/f82346b9432b06532e84f3278125f5879b4e9f3f"},{"type":"FIX","url":"https://github.com/ansys/pyansys-geometry/pull/1076"},{"type":"FIX","url":"https://github.com/ansys/pyansys-geometry/pull/1077"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ansys/pyansys-geometry","events":[{"introduced":"3df28eac4dc03ba3ba6da5d1c33b9fe5d80cd3ee"},{"fixed":"e3614a812bda246e46f47564241056429430d494"},{"introduced":"1d73f96ad58946588a260969dcd360de12db7453"},{"fixed":"a9c29d9d87656ec75778db94749f6359d2165d21"},{"fixed":"902071701c4f3a8258cbaa46c28dc0a65442d1bc"},{"fixed":"f82346b9432b06532e84f3278125f5879b4e9f3f"}],"database_specific":{"versions":[{"introduced":"0.3.0"},{"fixed":"0.3.3"},{"introduced":"0.4.0"},{"fixed":"0.4.12"}]}}],"versions":["v0.3.0","v0.3.1","v0.3.2","v0.4.0","v0.4.1","v0.4.10","v0.4.11","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.4.8","v0.4.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-29189.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}