VDB
ALPINE-CVE-2015-20107
ALPINE-CVE-2015-20107
PUBLISHED
CVSS 7.599999904632568 HIGH
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
Risk Scores
CVSS v3.1
7.599999904632568
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.17 | python3 | 3.9.7-r4, 3.9.7-r3, 3.9.7-r2 |
| Alpine:v3.20 | python3 | 3.2.0-r0, 0, 3.1.3-r0 |
| Alpine:v3.19 | python3 | 3.8.1-r2, 3.9.7-r4, 3.9.7-r3 |
| Alpine:v3.21 | python3 | 3.9.7-r4, 3.9.7-r3, 3.9.7-r2 |
| Alpine:v3.18 | python3 | 3.5.2-r1, 0, 3.10.0-r0 |
| Alpine:v3.23 | python3 | 3.9.7-r4, 0, 3.1.3-r0 |
| Alpine:v3.22 | python3 | 3.10.2-r1, 3.9.7-r4, 3.9.7-r3 |
Timeline
- Apr 13, 2022 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch