CVE-2015-20107
Summary
| CVE | CVE-2015-20107 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-04-13 16:15:00 UTC |
| Updated | 2023-11-07 02:25:00 UTC |
| Description | In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9 |
Risk And Classification
Problem Types: CWE-77
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Application | Netapp | Active Iq Unified Manager | - | All | All | All |
| Application | Netapp | Active Iq Unified Manager | - | All | All | All |
| Application | Netapp | Ontap Select Deploy Administration Utility | - | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 35 Update: pypy3.9-7.3.9-2.3.9.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python3-docs-3.10.5-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Issue 24778: mailcap.findmatch: document shell command Injection danger in filename parameter - Python tracker | MISC | bugs.python.org | |
| [SECURITY] Fedora 35 Update: python3.6-3.6.15-3.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| mailcap.findmatch: document shell command Injection danger in filename parameter · Issue #68966 · python/cpython · GitHub | MISC | github.com | |
| [SECURITY] Fedora 36 Update: mingw-python3-3.10.8-1.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python2.7-2.7.18-22.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: pypy3.8-7.3.9-2.3.8.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: pypy-7.3.9-2.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: python3.6-3.6.15-9.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: pypy-7.3.9-2.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: pypy3.9-7.3.9-2.3.9.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 3477-1] python3.7 security update | MLIST | lists.debian.org | |
| [SECURITY] Fedora 36 Update: pypy3.7-7.3.9-2.3.7.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python2.7-2.7.18-22.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python2.7-2.7.18-22.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: python3.9-3.9.13-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] [DLA 3432-1] python2.7 security update | MLIST | lists.debian.org | |
| [SECURITY] Fedora 36 Update: python3.7-3.7.13-2.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: mingw-python3-3.10.8-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python3.10-3.10.5-2.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: python3.8-3.8.13-3.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: pypy-7.3.9-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python3-docs-3.10.5-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: pypy3.8-7.3.9-2.3.8.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: python3.10-3.10.5-2.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python3.8-3.8.13-3.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: python2.7-2.7.18-22.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python3.8-3.8.13-3.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python3.7-3.7.13-2.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Python, PyPy3: Multiple Vulnerabilities (GLSA 202305-02) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] Fedora 36 Update: pypy3.9-7.3.9-2.3.9.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| mailcap shell command injection — Python Security 0.0 documentation | CONFIRM | python-security.readthedocs.io | |
| [SECURITY] Fedora 35 Update: pypy3.7-7.3.9-2.3.7.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: pypy3.8-7.3.9-2.3.8.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 37 Update: mingw-python3-3.10.8-1.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: python3.6-3.6.15-9.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: pypy-7.3.9-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE-2015-20107 Python Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] Fedora 35 Update: python3.9-3.9.13-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python3.7-3.7.13-2.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: python3.8-3.8.13-3.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: python3.9-3.9.13-2.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: pypy3.9-7.3.9-2.3.9.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 37 Update: mingw-python3-3.10.8-1.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: python3.9-3.9.13-2.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: python3.6-3.6.15-3.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: pypy3.7-7.3.9-2.3.7.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: pypy3.8-7.3.9-2.3.8.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 35 Update: python3.7-3.7.13-2.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: pypy3.7-7.3.9-2.3.7.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160086 Oracle Enterprise Linux Security Update for python3 (ELSA-2022-6457)
- 160209 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2022-7581)
- 160227 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2022-7592)
- 160249 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2022-7593)
- 160271 Oracle Enterprise Linux Security Update for python3.9 (ELSA-2022-8353)
- 181802 Debian Security Update for python2.7 (DLA 3432-1)
- 198862 Ubuntu Security Notification for Python Vulnerability (USN-5519-1)
- 199497 Ubuntu Security Notification for Python Vulnerabilities (USN-5888-1)
- 240663 Red Hat Update for python3 (RHSA-2022:6457)
- 240700 Red Hat Update for rh-python38-python (RHSA-2022:6766)
- 240812 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2022:7581)
- 240818 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2022:7592)
- 240860 Red Hat Update for python27:2.7 (RHSA-2022:7593)
- 240914 Red Hat Update for python3.9 security (RHSA-2022:8353)
- 282839 Fedora Security Update for python3.6 (FEDORA-2022-cece1d07d9)
- 282840 Fedora Security Update for python3.6 (FEDORA-2022-4b0dfda810)
- 282841 Fedora Security Update for python3.7 (FEDORA-2022-1358cedf2d)
- 282842 Fedora Security Update for python3.7 (FEDORA-2022-4c788bdc40)
- 282843 Fedora Security Update for python3.8 (FEDORA-2022-2e1d1205cf)
- 282844 Fedora Security Update for python3.8 (FEDORA-2022-a8e50dc83e)
- 282849 Fedora Security Update for python3.9 (FEDORA-2022-0be85556b4)
- 282850 Fedora Security Update for python3.9 (FEDORA-2022-5ad25e3d3c)
- 282851 Fedora Security Update for python2.7 (FEDORA-2022-4a69d20cf4)
- 282853 Fedora Security Update for python3 (FEDORA-2022-9da5703d22)
- 282855 Fedora Security Update for python3 (FEDORA-2022-5ea8aa7518)
- 282871 Fedora Security Update for python2.7 (FEDORA-2022-ec74ac4079)
- 282911 Fedora Security Update for pypy (FEDORA-2022-ce55d01569)
- 282912 Fedora Security Update for pypy (FEDORA-2022-9dd70781cb)
- 282913 Fedora Security Update for pypy3.7 (FEDORA-2022-20e87fb0d1)
- 282914 Fedora Security Update for pypy3.7 (FEDORA-2022-d157a91e10)
- 282915 Fedora Security Update for pypy3.8 (FEDORA-2022-b499f2a9c6)
- 282916 Fedora Security Update for pypy3.8 (FEDORA-2022-9cd41b6709)
- 282917 Fedora Security Update for pypy3.9 (FEDORA-2022-17a1bb7e78)
- 282918 Fedora Security Update for pypy3.9 (FEDORA-2022-dbe9a8f9ac)
- 283294 Fedora Security Update for mingw (FEDORA-2022-d1682fef04)
- 283444 Fedora Security Update for mingw (FEDORA-2022-79843dfb3c)
- 285297 Fedora Security Update for pypy3.10 (FEDORA-2023-ddde191e04)
- 296098 Oracle Solaris 11.4 Support Repository Update (SRU) 52.132.2 Missing (CPUOCT2022)
- 377718 Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2022:0170)
- 378004 Splunk Enterprise Multiple Vulnerabilities (SVD-2023-0215,SVD-2023-0211,SVD-2023-0208)
- 502787 Alpine Linux Security Update for python3
- 6000019 Debian Security Update for python3.7 (DLA 3477-1)
- 671909 EulerOS Security Update for python3 (EulerOS-SA-2022-2008)
- 671944 EulerOS Security Update for python3 (EulerOS-SA-2022-1978)
- 671988 EulerOS Security Update for python3 (EulerOS-SA-2022-2144)
- 672002 EulerOS Security Update for python3 (EulerOS-SA-2022-2169)
- 672252 EulerOS Security Update for python (EulerOS-SA-2022-2632)
- 672399 EulerOS Security Update for python3 (EulerOS-SA-2022-2805)
- 672408 EulerOS Security Update for python2 (EulerOS-SA-2022-2804)
- 672843 EulerOS Security Update for python3 (EulerOS-SA-2023-1587)
- 672853 EulerOS Security Update for python3 (EulerOS-SA-2023-1577)
- 710714 Gentoo Linux Python, PyPy3 Multiple Vulnerabilities (GLSA 202305-02)
- 752256 SUSE Enterprise Linux Security Update for python36 (SUSE-SU-2022:2147-1)
- 752259 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:2166-1)
- 752275 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2022:2174-1)
- 752281 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:2248-1)
- 752282 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:2249-1)
- 752327 SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:2344-1)
- 752335 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:2351-1)
- 752336 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:2357-1)
- 753766 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2023:0707-1)
- 900829 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (9441)
- 900845 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (9442)
- 901670 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (9417)
- 903956 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (9417-1)
- 904186 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (9442-1)
- 904206 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (9441-1)
- 940653 AlmaLinux Security Update for python3 (ALSA-2022:6457)
- 940760 AlmaLinux Security Update for python27:2.7 (ALSA-2022:7593)
- 940776 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2022:7592)
- 940777 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2022:7581)
- 940790 AlmaLinux Security Update for python3.9 (ALSA-2022:8353)
- 960473 Rocky Linux Security Update for python27:2.7 (RLSA-2022:7593)
- 960542 Rocky Linux Security Update for python3.9 (RLSA-2022:8353)
- 960594 Rocky Linux Security Update for python39:3.9 and python39-devel:3.9 (RLSA-2022:7592)
- 960618 Rocky Linux Security Update for python38:3.8 and python38-devel:3.8 (RLSA-2022:7581)