Vulnerability Details : CVE-2015-20107
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
Products affected by CVE-2015-20107
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2015-20107
Top countries where our scanners detected CVE-2015-20107
Top open port discovered on systems with this issue
80
IPs affected by CVE-2015-20107 286,365
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-20107!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-20107
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-20107
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.0
|
HIGH | AV:N/AC:L/Au:S/C:P/I:C/A:P |
8.0
|
8.5
|
NIST | |
7.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
2.8
|
4.7
|
NIST |
CWE ids for CVE-2015-20107
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-20107
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERYMM2QVDPOJLX4LYXWYIQN5FOIJLDRY/
[SECURITY] Fedora 35 Update: python3.6-3.6.15-3.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ONXSGLASNLGFL57YU6WT6Y5YURSFV43U/
[SECURITY] Fedora 35 Update: python3.7-3.7.13-2.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/53TQZFLS6O3FLIMVSXFEEPZSWLDZLBOX/
[SECURITY] Fedora 36 Update: pypy3.8-7.3.9-2.3.8.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XO2H6CKWLRGTTZCGUQVELW6LUH437Q3O/
[SECURITY] Fedora 36 Update: python3.7-3.7.13-2.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
[SECURITY] [DLA 3477-1] python3.7 security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYG3EMFR7ZHC46TDNM7SNWO64A3W7EUF/
[SECURITY] Fedora 35 Update: python3.9-3.9.13-2.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DBVY4YC2P6EPZZ2DROOXHDOWZ4BJFLW/
[SECURITY] Fedora 36 Update: pypy3.9-7.3.9-2.3.9.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/
[SECURITY] Fedora 36 Update: mingw-python3-3.10.8-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAY6VBNVEFUXKJF37WFHYXUSRDEK34N3/
[SECURITY] Fedora 35 Update: python3-docs-3.10.5-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAI2GBC7WKH7J5NH6J2IW5RT3VF2SF5M/
[SECURITY] Fedora 35 Update: pypy-7.3.9-2.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/
[SECURITY] Fedora 36 Update: python3.6-3.6.15-9.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIOJUZ5JMEMGSKNISTOVI4PDP36FDL5Y/
[SECURITY] Fedora 36 Update: python2.7-2.7.18-22.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
[SECURITY] [DLA 3432-1] python2.7 security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AKGMYDVKI3XNM27B6I6RQ6QV3TVJAUCG/
[SECURITY] Fedora 35 Update: pypy3.8-7.3.9-2.3.8.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIKVSW3H6W2GQGDE5DTIWLGFNH6KKEW/
[SECURITY] Fedora 36 Update: pypy3.7-7.3.9-2.3.7.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html
mailcap shell command injection — Python Security 0.0 documentationPatch;Third Party Advisory
-
https://bugs.python.org/issue24778
Issue 24778: mailcap.findmatch: document shell command Injection danger in filename parameter - Python trackerExploit;Issue Tracking;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTTZGLD2YBMMG6U6F5HOTPOGGPBIURMA/
[SECURITY] Fedora 36 Update: pypy-7.3.9-2.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220616-0001/
CVE-2015-20107 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/python/cpython/issues/68966
mailcap.findmatch: document shell command Injection danger in filename parameter · Issue #68966 · python/cpython · GitHubIssue Tracking;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPCLGZZJPVXFWUWVV5WCD5FNUAFLKBDN/
[SECURITY] Fedora 35 Update: pypy3.9-7.3.9-2.3.9.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/
[SECURITY] Fedora 37 Update: mingw-python3-3.10.8-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W5664BGZVTA46LQDNTYX5THG6CN4FYJX/
[SECURITY] Fedora 36 Update: python3.10-3.10.5-2.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202305-02
Python, PyPy3: Multiple Vulnerabilities (GLSA 202305-02) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57NECACX333A3BBZM2TR2VZ4ZE3UG3SN/
[SECURITY] Fedora 35 Update: pypy3.7-7.3.9-2.3.7.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FIRUTX47BJD2HYJDLMI7JJBVCYFAPKAQ/
[SECURITY] Fedora 35 Update: python3.8-3.8.13-3.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCIO2W4DUVVMI6L52QCC4TT2B3K5VWHS/
[SECURITY] Fedora 36 Update: python3.9-3.9.13-2.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4E2WBEJ42CGLGDHD6ZXOLZ2W6G3YOVD/
[SECURITY] Fedora 36 Update: python3.8-3.8.13-3.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F3LNY2NHM6J22O6Q5ANOE3SZRK3OACKR/
[SECURITY] Fedora 35 Update: python2.7-2.7.18-22.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to