CVE-2015-20107

moderate-risk

Published 2022-04-13

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Do I need to act?

0.91% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.6/10 High

NETWORK / LOW complexity

Affected Products (8)

Python

Active Iq Unified Manager

Ontap Select Deploy Administration Utility

Snapcenter

Fedora

Affected Vendors

Python Fedoraproject Netapp

References (59)

Exploit https://bugs.python.org/issue24778

Issue Tracking https://github.com/python/cpython/issues/68966

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 39 more references

/ 100

moderate-risk

Severity 27/34 · High

Exploitability 3/34 · Minimal

Exposure 14/34 · Moderate