CVE-2020-15271 : In lookatme (python/pypi package) versions prior to 2.3.0, the package automatic

In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.

Published 2020-10-26 18:15:14

Updated 2020-11-13 16:40:26

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2020-15271

Lookatme Project » Lookatme
Versions before (<) 2.3.0
cpe:2.3:a:lookatme_project:lookatme:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-15271

EPSS FAQ

0.36%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 55 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15271

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.3	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N	2.8	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-15271

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2020-15271

https://pypi.org/project/lookatme/#history

lookatme · PyPI
Release Notes;Third Party Advisory
https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84

Merge pull request #110 from d0c-s4vage/feature/109-extension_warnings · d0c-s4vage/lookatme@72fe36b · GitHub
Patch;Third Party Advisory
https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0

Release v2.3.0 · d0c-s4vage/lookatme · GitHub
Release Notes;Third Party Advisory
https://github.com/d0c-s4vage/lookatme/pull/110

Adds warnings about loading extensions by d0c-s4vage · Pull Request #110 · d0c-s4vage/lookatme · GitHub
Exploit;Third Party Advisory
https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q

Markdown-supplied Shell Command Execution · Advisory · d0c-s4vage/lookatme · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-15271

Products affected by CVE-2020-15271

Exploit prediction scoring system (EPSS) score for CVE-2020-15271

CVSS scores for CVE-2020-15271

CWE ids for CVE-2020-15271

References for CVE-2020-15271