Race Condition Affecting cwltool package, versions [,3.1.20230906142556)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-CWLTOOL-6084102
- published 24 Nov 2023
- disclosed 1 Oct 2023
- credit José María Fernández
How to fix?
Upgrade cwltool
to version 3.1.20230906142556 or higher.
Overview
cwltool is a Common workflow language reference implementation
Affected versions of this package are vulnerable to Race Condition when a podman process finishes even before reaching the monitoring method. This triggers a deadlock, as process.returncode
does not get updated and spawned process is in zombie state (so, no signal is sent).
References
CVSS Scores
version 3.1