Vulnerability CVE-2015-20107: Information

Description

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Severity: HIGH (7.6) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

URL: https://nvd.nist.gov/vuln/detail/CVE-2015-20107

Published: April 13, 2022

Modified: Nov. 7, 2023

Error type identifier: CWE-77

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
python	sisyphus	2.7.18-alt10	2.7.18-alt11	ALT-PU-2022-2066-1	302234	Fixed
python	sisyphus_e2k	2.7.18-alt10	2.7.18-alt11	ALT-PU-2022-5547-1	-	Fixed
python	sisyphus_riscv64	2.7.18-alt10	2.7.18-alt11	ALT-PU-2022-5253-1	-	Fixed
python	p10	2.7.18-alt10	2.7.18-alt10	ALT-PU-2022-3044-1	309289	Fixed
python	p10_e2k	2.7.18-alt10	2.7.18-alt10	ALT-PU-2022-7062-1	-	Fixed
python	c10f1	2.7.18-alt10	2.7.18-alt10	ALT-PU-2022-3044-1	309289	Fixed
python	c9f2	2.7.18-alt0.MC9.1	2.7.18-alt0.MC9.1	ALT-PU-2023-4581-3	324219	Fixed
python3	sisyphus	3.10.8-alt1	3.12.2-alt1	ALT-PU-2022-3282-1	311248	Fixed
python3	sisyphus_e2k	3.10.8-alt1	3.12.2-alt1	ALT-PU-2022-7324-1	-	Fixed
python3	sisyphus_riscv64	3.10.8-alt1	3.12.2-alt1	ALT-PU-2022-7348-1	-	Fixed
python3	p10	3.9.16-alt1	3.9.18-alt1	ALT-PU-2023-1518-1	317117	Fixed
python3	p10_e2k	3.9.16-alt1	3.9.18-alt1	ALT-PU-2023-3007-1	-	Fixed
python3	p9	3.7.17-alt1	3.7.17-alt1	ALT-PU-2024-2598-2	340935	Fixed
python3	c10f1	3.9.16-alt1	3.9.18-alt0.c10f1.1	ALT-PU-2023-1518-1	317117	Fixed
python3	c9f2	3.7.17-alt1	3.7.17-alt1	ALT-PU-2024-3474-2	342077	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://github.com/python/cpython/issues/68966	Issue Tracking Third Party Advisory
https://bugs.python.org/issue24778	Exploit Issue Tracking Vendor Advisory
https://security.netapp.com/advisory/ntap-20220616-0001/	Third Party Advisory
https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html	Patch Third Party Advisory
GLSA-202305-02
[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update
[debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update
FEDORA-2022-5ad25e3d3c
FEDORA-2022-cece1d07d9
FEDORA-2022-2e1d1205cf
FEDORA-2022-4b0dfda810
FEDORA-2022-1358cedf2d
FEDORA-2022-0be85556b4
FEDORA-2022-a8e50dc83e
FEDORA-2022-4c788bdc40
FEDORA-2022-9da5703d22
FEDORA-2022-4a69d20cf4
FEDORA-2022-5ea8aa7518
FEDORA-2022-ec74ac4079
FEDORA-2022-17a1bb7e78
FEDORA-2022-dbe9a8f9ac
FEDORA-2022-9dd70781cb
FEDORA-2022-20e87fb0d1
FEDORA-2022-9cd41b6709
FEDORA-2022-d157a91e10
FEDORA-2022-ce55d01569
FEDORA-2022-b499f2a9c6
FEDORA-2022-d1682fef04
FEDORA-2022-79843dfb3c

Affected configurations:
1. Configuration 1
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.8.0
  End including
  3.8.15
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.9.0
  End including
  3.9.15
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.10.0
  End excliding
  3.10.8
  cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
  Start including
  3.7.0
  End including
  3.7.15
  
  Configuration 2
  cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
  cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
  cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
  
  Configuration 3
  cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Version: v24.5.0

Vulnerability CVE-2015-20107: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3