openc3 7.0.0rc2

Direct Vulnerabilities

Known vulnerabilities in the openc3 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Execution with Unnecessary Privileges openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the `run_script.py` and `run_script.rb` script execution paths in the script runner components. An attacker can read sensitive credentials by running a script that prints the process environment, exposing Redis, API, service, TSDB, and bucket secrets to anyone who can view the script output. This leaks authentication material from the running script process and can let an attacker reuse those credentials to access backend services and data. How to fix Execution with Unnecessary Privileges? Upgrade `openc3` to version 7.0.0rc3 or higher.	[,7.0.0rc3)
M Relative Path Traversal openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to Relative Path Traversal via the `ToolConfigModel` tool and config name handling in the Ruby and Python models. An attacker can write or delete arbitrary files within the shared `/plugins` directory by supplying tool or config names containing `/`, `\`, or `..` when saving, loading, listing, or deleting tool configs. This can corrupt plugin data, overwrite configuration files, and disrupt tool behavior for users relying on the affected plugin workspace. How to fix Relative Path Traversal? Upgrade `openc3` to version 6.10.5, 7.0.0rc3 or higher.	[,6.10.5)[7.0.0rc2,7.0.0rc3)
C SQL Injection openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted `start_time`, `end_time`, or column/table-related values that are interpolated directly into SQL strings. This can expose or manipulate telemetry data and disrupt applications that rely on the database results. How to fix SQL Injection? Upgrade `openc3` to version 7.0.0rc3 or higher.	[6.7.0,7.0.0rc3)

Vulnerability

Vulnerable Version

Execution with Unnecessary Privileges

openc3 is a Python support for OpenC3 COSMOS

Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the run_script.py and run_script.rb script execution paths in the script runner components. An attacker can read sensitive credentials by running a script that prints the process environment, exposing Redis, API, service, TSDB, and bucket secrets to anyone who can view the script output. This leaks authentication material from the running script process and can let an attacker reuse those credentials to access backend services and data.

How to fix Execution with Unnecessary Privileges?

Upgrade openc3 to version 7.0.0rc3 or higher.

[,7.0.0rc3)

Relative Path Traversal

openc3 is a Python support for OpenC3 COSMOS

Affected versions of this package are vulnerable to Relative Path Traversal via the ToolConfigModel tool and config name handling in the Ruby and Python models. An attacker can write or delete arbitrary files within the shared /plugins directory by supplying tool or config names containing /, \, or .. when saving, loading, listing, or deleting tool configs. This can corrupt plugin data, overwrite configuration files, and disrupt tool behavior for users relying on the affected plugin workspace.

How to fix Relative Path Traversal?

Upgrade openc3 to version 6.10.5, 7.0.0rc3 or higher.

[,6.10.5)[7.0.0rc2,7.0.0rc3)

SQL Injection

openc3 is a Python support for OpenC3 COSMOS

Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted start_time, end_time, or column/table-related values that are interpolated directly into SQL strings. This can expose or manipulate telemetry data and disrupt applications that rely on the database results.

How to fix SQL Injection?

Upgrade openc3 to version 7.0.0rc3 or higher.

[6.7.0,7.0.0rc3)

openc3@7.0.0rc2

Python support for OpenC3 COSMOS

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically