CVE-2023-28627: 
Homebrew vulnerability analysis and mitigation

pymedusa is an automatic video library manager for TV Shows. In versions prior to 1.0.12, a critical vulnerability (CVE-2023-28627) was discovered that allows attackers with access to the web interface to execute arbitrary OS commands by manipulating the git executable path in /config/general/ > advanced settings. The vulnerability was discovered and reported by pizza-power and disclosed on March 25, 2023 (GitHub Advisory).

The vulnerability is classified as an OS Command Injection (CWE-78) with a CVSS v3.1 base score of 8.8 HIGH (NIST) and 8.3 HIGH (GitHub). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The vulnerability exists in the github_updater.py package, where insufficient validation of the GIT_PATH parameter allows injection of arbitrary OS commands (GitHub Advisory).

An attacker who successfully exploits this vulnerability can execute arbitrary commands on the system with the privileges of the user running the pymedusa program. While exposure to the internet is limited, compromised systems could allow attackers to take complete control of the affected system (GitHub Advisory).

Users are advised to upgrade to version 1.0.12 or later, which contains a patch for this vulnerability. The fix includes validation of the GIT_PATH parameter in config.py to disallow special characters except for directory separators and ensures that the entry contains the string 'git'. Additionally, implementing mandatory username/password authentication during installation is recommended to reduce the number of exposed instances (GitHub Advisory, GitHub Commit).