PT-2015-7803 · Pygments+1 · Pygments+1

Stefan Cornelius

Published

2015-12-16

Updated

2022-05-17

CVE-2015-8557

CVSS v4.0

9.5

Critical

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions Pygments versions 1.2.2 through 2.0.2

Description The issue allows remote attackers to execute arbitrary commands via shell metacharacters in a font name, specifically in the FontManager. get nix font path function in formatters/img.py.

Recommendations For Pygments versions 1.2.2 through 2.0.2, consider disabling the FontManager. get nix font path function until a patch is available to prevent the execution of arbitrary commands. Restrict access to the formatters/img.py module to minimize the risk of exploitation. Avoid using font names that contain shell metacharacters in the affected function until the issue is resolved.

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2015-8557

DLA-369-1

DSA-3445-1

GHSA-FFF8-4W9P-7V76

MGASA-2015-0478

PYSEC-2016-32

USN-2862-1

Affected Products

Pygments

Ubuntu

PT-2015-7803 · Pygments+1 · Pygments+1

CVE-2015-8557

Weakness Enumeration

Related Identifiers

Affected Products

References · 29