In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Complete

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:C/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Fedoraproject
  • Fedora
Netapp
  • Active Iq Unified Manager
  • Ontap Select Deploy Administration Utility
  • Snapcenter
Python
  • Python
Redhat
  • Enterprise Linux
  • Rhel Software Collections

Configuration 1 [-]

OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 8
python3-0:3.6.8-47.el8_6 cpe:/a:redhat:enterprise_linux:8 RHSA-2022:6457 2022-09-13T00:00:00Z
python38:3.8-8070020220916150349.bd194b04 cpe:/a:redhat:enterprise_linux:8 RHSA-2022:7581 2022-11-08T00:00:00Z
python38-devel:3.8-8070020220916150349.bd194b04 cpe:/a:redhat:enterprise_linux:8 RHSA-2022:7581 2022-11-08T00:00:00Z
python39:3.9-8070020220916150556.be1f0497 cpe:/a:redhat:enterprise_linux:8 RHSA-2022:7592 2022-11-08T00:00:00Z
python39-devel:3.9-8070020220916150556.be1f0497 cpe:/a:redhat:enterprise_linux:8 RHSA-2022:7592 2022-11-08T00:00:00Z
python27:2.7-8070020220617114255.056aacbc cpe:/a:redhat:enterprise_linux:8 RHSA-2022:7593 2022-11-08T00:00:00Z
python3-0:3.6.8-47.el8_6 cpe:/o:redhat:enterprise_linux:8 RHSA-2022:6457 2022-09-13T00:00:00Z
Red Hat Enterprise Linux 9
python3.9-0:3.9.14-1.el9 cpe:/a:redhat:enterprise_linux:9 RHSA-2022:8353 2022-11-15T00:00:00Z
python3.9-0:3.9.14-1.el9 cpe:/o:redhat:enterprise_linux:9 RHSA-2022:8353 2022-11-15T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-python38-python-0:3.8.14-1.el7 cpe:/a:redhat:rhel_software_collections:3::el7 RHSA-2022:6766 2022-10-03T00:00:00Z
References
Link Providers
https://bugs.python.org/issue24778 cve-icon cve-icon
https://github.com/python/cpython/issues/68966 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/53TQZFLS6O3FLIMVSXFEEPZSWLDZLBOX/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/57NECACX333A3BBZM2TR2VZ4ZE3UG3SN/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DBVY4YC2P6EPZZ2DROOXHDOWZ4BJFLW/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIKVSW3H6W2GQGDE5DTIWLGFNH6KKEW/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AKGMYDVKI3XNM27B6I6RQ6QV3TVJAUCG/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERYMM2QVDPOJLX4LYXWYIQN5FOIJLDRY/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3LNY2NHM6J22O6Q5ANOE3SZRK3OACKR/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCIO2W4DUVVMI6L52QCC4TT2B3K5VWHS/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FIRUTX47BJD2HYJDLMI7JJBVCYFAPKAQ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GPCLGZZJPVXFWUWVV5WCD5FNUAFLKBDN/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAI2GBC7WKH7J5NH6J2IW5RT3VF2SF5M/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAY6VBNVEFUXKJF37WFHYXUSRDEK34N3/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYG3EMFR7ZHC46TDNM7SNWO64A3W7EUF/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONXSGLASNLGFL57YU6WT6Y5YURSFV43U/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTTZGLD2YBMMG6U6F5HOTPOGGPBIURMA/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UIOJUZ5JMEMGSKNISTOVI4PDP36FDL5Y/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5664BGZVTA46LQDNTYX5THG6CN4FYJX/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO2H6CKWLRGTTZCGUQVELW6LUH437Q3O/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4E2WBEJ42CGLGDHD6ZXOLZ2W6G3YOVD/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2015-20107 cve-icon
https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html cve-icon cve-icon cve-icon
https://security.gentoo.org/glsa/202305-02 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20220616-0001/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2015-20107 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-04-13T00:00:00

Updated: 2024-08-06T08:58:26.556Z

Reserved: 2022-04-13T00:00:00

Link: CVE-2015-20107

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-04-13T16:15:08.937

Modified: 2024-11-21T02:26:33.447

Link: CVE-2015-20107

cve-icon Redhat

Severity : Moderate

Publid Date: 2015-08-02T00:00:00Z

Links: CVE-2015-20107 - Bugzilla