CVE-2015-20107

Advisory lineage Upstream: 0 Downstream: 32
Modified
Published: 13 Apr 2022, 00:00
Last modified:03 Nov 2025, 21:43

Vulnerability Summary

Overall Risk (default)
medium
42/100
CVSS Score
8 HIGH
v2.0 (nvd)
EPSS Score
0.87% LOW
1% probability -0.06%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

13 Apr 2022, 00:00
Published
Vulnerability first disclosed
03 Nov 2025, 21:43
Last Modified
Vulnerability information updated

Description

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

CVSS Metrics

  • v3.1HIGHScore: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
  • v2.0HIGHScore: 8AV:N/AC:L/Au:S/C:P/I:C/A:P

EPSS Trends

Current EPSS score: 0.87% Percentile: 76%

Techniques & Countermeasures

  • CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')

    The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Systems

  • fedoraprojectfedora

    35 | 36 | 37

  • netappactive_iq_unified_manager

    na

  • netappontap_select_deploy_administration_utility

    na

  • netappsnapcenter

    na

  • pythonpython

    ≥ 3.7.0, ≤ 3.7.15 | ≥ 3.8.0, ≤ 3.8.15 | ≥ 3.9.0, ≤ 3.9.15 | ≥ 3.10.0, < 3.10.8

References (30)