CVE-2015-20107

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Published: Apr 13, 2022
Updated: May 9, 2024
CVE: CVE-2015-20107
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.6
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CVSS v2:

Severity: High
Score: 8
AV:N/AC:L/Au:S/C:P/I:C/A:P

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
python / python	3.8.0	3.8.15.x
python / python	3.9.0	3.9.15.x
python / python	3.10.0	3.10.8
python / python	3.7.0	3.7.15.x
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x
fedoraproject / fedora	37	37.x

https://bugs.python.org/issue24778
https://github.com/python/cpython/issues/68966
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/53TQZFLS6O3FLIMVSXFEEPZSWLDZLBOX/
https://lists.fedoraproject.org/archives/list/[email protected]/message/57NECACX333A3BBZM2TR2VZ4ZE3UG3SN/
https://lists.fedoraproject.org/archives/list/[email protected]/message/5DBVY4YC2P6EPZZ2DROOXHDOWZ4BJFLW/
https://lists.fedoraproject.org/archives/list/[email protected]/message/6QIKVSW3H6W2GQGDE5DTIWLGFNH6KKEW/
https://lists.fedoraproject.org/archives/list/[email protected]/message/AKGMYDVKI3XNM27B6I6RQ6QV3TVJAUCG/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ERYMM2QVDPOJLX4LYXWYIQN5FOIJLDRY/
https://lists.fedoraproject.org/archives/list/[email protected]/message/F3LNY2NHM6J22O6Q5ANOE3SZRK3OACKR/
https://lists.fedoraproject.org/archives/list/[email protected]/message/FCIO2W4DUVVMI6L52QCC4TT2B3K5VWHS/
https://lists.fedoraproject.org/archives/list/[email protected]/message/FIRUTX47BJD2HYJDLMI7JJBVCYFAPKAQ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/GPCLGZZJPVXFWUWVV5WCD5FNUAFLKBDN/
https://lists.fedoraproject.org/archives/list/[email protected]/message/HAI2GBC7WKH7J5NH6J2IW5RT3VF2SF5M/
https://lists.fedoraproject.org/archives/list/[email protected]/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/
https://lists.fedoraproject.org/archives/list/[email protected]/message/KAY6VBNVEFUXKJF37WFHYXUSRDEK34N3/
https://lists.fedoraproject.org/archives/list/[email protected]/message/MYG3EMFR7ZHC46TDNM7SNWO64A3W7EUF/
https://lists.fedoraproject.org/archives/list/[email protected]/message/ONXSGLASNLGFL57YU6WT6Y5YURSFV43U/
https://lists.fedoraproject.org/archives/list/[email protected]/message/PTTZGLD2YBMMG6U6F5HOTPOGGPBIURMA/
https://lists.fedoraproject.org/archives/list/[email protected]/message/UIOJUZ5JMEMGSKNISTOVI4PDP36FDL5Y/
https://lists.fedoraproject.org/archives/list/[email protected]/message/W5664BGZVTA46LQDNTYX5THG6CN4FYJX/
https://lists.fedoraproject.org/archives/list/[email protected]/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/
https://lists.fedoraproject.org/archives/list/[email protected]/message/XO2H6CKWLRGTTZCGUQVELW6LUH437Q3O/
https://lists.fedoraproject.org/archives/list/[email protected]/message/Y4E2WBEJ42CGLGDHD6ZXOLZ2W6G3YOVD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/53TQZFLS6O3FLIMVSXFEEPZSWLDZLBOX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/57NECACX333A3BBZM2TR2VZ4ZE3UG3SN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DBVY4YC2P6EPZZ2DROOXHDOWZ4BJFLW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIKVSW3H6W2GQGDE5DTIWLGFNH6KKEW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AKGMYDVKI3XNM27B6I6RQ6QV3TVJAUCG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERYMM2QVDPOJLX4LYXWYIQN5FOIJLDRY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3LNY2NHM6J22O6Q5ANOE3SZRK3OACKR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCIO2W4DUVVMI6L52QCC4TT2B3K5VWHS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FIRUTX47BJD2HYJDLMI7JJBVCYFAPKAQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GPCLGZZJPVXFWUWVV5WCD5FNUAFLKBDN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAI2GBC7WKH7J5NH6J2IW5RT3VF2SF5M/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAY6VBNVEFUXKJF37WFHYXUSRDEK34N3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYG3EMFR7ZHC46TDNM7SNWO64A3W7EUF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONXSGLASNLGFL57YU6WT6Y5YURSFV43U/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTTZGLD2YBMMG6U6F5HOTPOGGPBIURMA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UIOJUZ5JMEMGSKNISTOVI4PDP36FDL5Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5664BGZVTA46LQDNTYX5THG6CN4FYJX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO2H6CKWLRGTTZCGUQVELW6LUH437Q3O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4E2WBEJ42CGLGDHD6ZXOLZ2W6G3YOVD/
https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20220616-0001/

Vulnerability Database

289,689

CVE-2015-20107