PT-2015-7803 · Pygments+1 · Pygments+1

Stefan Cornelius

Publicado

2015-12-16

Atualizado

2022-05-17

CVE-2015-8557

CVSS v4.0

9.5

Crítica

Vetor

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions Pygments versions 1.2.2 through 2.0.2

Description The issue allows remote attackers to execute arbitrary commands via shell metacharacters in a font name, specifically in the FontManager. get nix font path function in formatters/img.py.

Recommendations For Pygments versions 1.2.2 through 2.0.2, consider disabling the FontManager. get nix font path function until a patch is available to prevent the execution of arbitrary commands. Restrict access to the formatters/img.py module to minimize the risk of exploitation. Avoid using font names that contain shell metacharacters in the affected function until the issue is resolved.

Correção

RCE

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

CVE-2015-8557

DLA-369-1

DSA-3445-1

GHSA-FFF8-4W9P-7V76

MGASA-2015-0478

PYSEC-2016-32

USN-2862-1

Produtos afetados

Pygments

Ubuntu

PT-2015-7803 · Pygments+1 · Pygments+1

CVE-2015-8557

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 29