Vulnerability Description
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | >= 3.7.0, <= 3.7.15 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Netapp | Snapcenter | - |
| Fedoraproject | Fedora | 35 |
Related Weaknesses (CWE)
References
- https://bugs.python.org/issue24778ExploitIssue TrackingVendor Advisory
- https://github.com/python/cpython/issues/68966Issue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2015-20107?
CVE-2015-20107 is a vulnerability with a CVSS score of 7.6 (HIGH). In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into appl...
How severe is CVE-2015-20107?
CVE-2015-20107 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-20107?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility, Netapp Snapcenter, Fedoraproject Fedora.