CVE-2023-35932: 
Python vulnerability analysis and mitigation

jcvi is a Python library designed to facilitate genome assembly, annotation, and comparative genomics. A configuration injection vulnerability (CVE-2023-35932) was discovered in versions up to and including v1.3.5. The vulnerability was disclosed on June 23, 2023, affecting the configuration handling functionality of the library (GitHub Advisory, NVD).

The vulnerability exists in the /jcvi/apps/base.py file where user input is processed without proper sanitization before being stored in the configuration file ~/.jcvirc. The vulnerable code retrieves user input and stores it within the fullpath variable which is then written to the configuration file. The CVSS v3.1 base score is 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to inject malicious configuration values that could potentially lead to command injection if there is shell code execution from the configuration file values. This could result in unauthorized code execution on affected systems (GitHub Advisory).

As of the disclosure date, there is no official fix or patch available for this vulnerability. Users should exercise caution when providing input for path configurations and consider implementing additional input validation at the application level (GitHub Advisory).