CVE-2021-32849: 
Python vulnerability analysis and mitigation

Gerapy, a distributed crawler management framework, was found to contain a critical security vulnerability (CVE-2021-32849) that allowed authenticated users to execute arbitrary commands on the system. The vulnerability was present in versions prior to 0.9.9 and was discovered by Rasmus Wriedt Larsen from the CodeQL Python team (GitHub Security Lab, CVE Mitre).

The vulnerability existed in two functions: project_clone and project_parse. In project_clone, the address variable from POST requests was used unsafely in git clone commands, allowing command injection. Similarly, in project_parse, attacker-controlled data from POST requests could be used to execute arbitrary shell commands. The vulnerability was classified as CWE-78 (OS Command Injection) (GitHub Security Lab).

An authenticated attacker could execute arbitrary commands on the system hosting the Gerapy application, potentially leading to complete system compromise (GitHub Advisory).

The vulnerability was fixed in version 0.9.9 of Gerapy. No known workarounds were available for earlier versions, making upgrading to version 0.9.9 or later the only effective mitigation (CVE Mitre).

The GitHub Security Lab initially reported the vulnerability on May 13, 2021, and after the standard 90-day disclosure period, proceeded with public disclosure on November 24, 2021, due to lack of response from the maintainers (GitHub Security Lab).