CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
86.8%
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 12.04 | cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* |
canonical | ubuntu_linux | 14.04 | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
canonical | ubuntu_linux | 15.04 | cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:* |
canonical | ubuntu_linux | 15.10 | cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:* |
pygments | pygments | 1.2.2 | cpe:2.3:a:pygments:pygments:1.2.2:*:*:*:*:*:*:* |
pygments | pygments | 1.3 | cpe:2.3:a:pygments:pygments:1.3:*:*:*:*:*:*:* |
pygments | pygments | 1.3.1 | cpe:2.3:a:pygments:pygments:1.3.1:*:*:*:*:*:*:* |
pygments | pygments | 1.4 | cpe:2.3:a:pygments:pygments:1.4:*:*:*:*:*:*:* |
pygments | pygments | 1.5 | cpe:2.3:a:pygments:pygments:1.5:*:*:*:*:*:*:* |
pygments | pygments | 1.6 | cpe:2.3:a:pygments:pygments:1.6:*:*:*:*:*:*:* |
packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.html
seclists.org/fulldisclosure/2015/Oct/4
www.debian.org/security/2016/dsa-3445
www.openwall.com/lists/oss-security/2015/12/14/17
www.openwall.com/lists/oss-security/2015/12/14/6
www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
www.ubuntu.com/usn/USN-2862-1
bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diff
security.gentoo.org/glsa/201612-05
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
86.8%