CVE Vulnerabilities

CVE-2015-20107

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Published: Apr 13, 2022 | Modified: Nov 07, 2023
CVSS 3.x
7.6
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
CVSS 2.x
8 HIGH
AV:N/AC:L/Au:S/C:P/I:C/A:P
RedHat/V2
RedHat/V3
7.6 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Ubuntu
LOW

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Weakness

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Python Python 3.7.0 (including) 3.7.15 (including)
Python Python 3.8.0 (including) 3.8.15 (including)
Python Python 3.9.0 (including) 3.9.15 (including)
Python Python 3.10.0 (including) 3.10.8 (excluding)
Python2.7 Ubuntu bionic *
Python2.7 Ubuntu esm-infra/xenial *
Python2.7 Ubuntu focal *
Python2.7 Ubuntu impish *
Python2.7 Ubuntu jammy *
Python2.7 Ubuntu kinetic *
Python2.7 Ubuntu trusty *
Python2.7 Ubuntu trusty/esm *
Python2.7 Ubuntu upstream *
Python2.7 Ubuntu xenial *
Python3.10 Ubuntu impish *
Python3.10 Ubuntu jammy *
Python3.10 Ubuntu upstream *
Python3.4 Ubuntu trusty *
Python3.4 Ubuntu trusty/esm *
Python3.4 Ubuntu upstream *
Python3.5 Ubuntu esm-infra/xenial *
Python3.5 Ubuntu trusty *
Python3.5 Ubuntu trusty/esm *
Python3.5 Ubuntu upstream *
Python3.5 Ubuntu xenial *
Python3.6 Ubuntu bionic *
Python3.6 Ubuntu upstream *
Python3.7 Ubuntu bionic *
Python3.7 Ubuntu esm-apps/bionic *
Python3.7 Ubuntu upstream *
Python3.8 Ubuntu bionic *
Python3.8 Ubuntu esm-apps/bionic *
Python3.8 Ubuntu focal *
Python3.8 Ubuntu upstream *
Python3.9 Ubuntu esm-apps/focal *
Python3.9 Ubuntu focal *
Python3.9 Ubuntu impish *
Python3.9 Ubuntu upstream *
Red Hat Enterprise Linux 8 RedHat python3-0:3.6.8-47.el8_6 *
Red Hat Enterprise Linux 8 RedHat python38:3.8-8070020220916150349.bd194b04 *
Red Hat Enterprise Linux 8 RedHat python38-devel:3.8-8070020220916150349.bd194b04 *
Red Hat Enterprise Linux 8 RedHat python39:3.9-8070020220916150556.be1f0497 *
Red Hat Enterprise Linux 8 RedHat python39-devel:3.9-8070020220916150556.be1f0497 *
Red Hat Enterprise Linux 8 RedHat python27:2.7-8070020220617114255.056aacbc *
Red Hat Enterprise Linux 8 RedHat python3-0:3.6.8-47.el8_6 *
Red Hat Enterprise Linux 9 RedHat python3.9-0:3.9.14-1.el9 *
Red Hat Enterprise Linux 9 RedHat python3.9-0:3.9.14-1.el9 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-python38-python-0:3.8.14-1.el7 *

Extended Description

Command injection vulnerabilities typically occur when:

Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks. Command injection is a common problem with wrapper programs.

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

References