CVE-2020-17353 — Vulnetix

CVE-2020-17353 PUBLISHED

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.

EPSS 1.26% · 79.8th percentile

Risk Scores

EPSS Score

1.26%

79.8th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	lilypond	2.18.2-11, 2.18.2-12build1, 2.18.2-12
Ubuntu:20.04:LTS	lilypond	2.20.0-1, 2.19.81+really-2.18.2-13ubuntu1, 2.19.81+really-2.18.2-13ubuntu2
Ubuntu:16.04:LTS	lilypond	0, 2.18.2-4.1, 2.18.2-4

Exploit Intelligence

http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff (circl)
FEDORA-2020-328534eeba (circl)
FEDORA-2020-7cd08d85ce (circl)
DSA-4756 (circl)
openSUSE-SU-2020:1453 (circl)
openSUSE-SU-2020:1506 (circl)

Timeline

Aug 5, 2020 CVE Published
Apr 14, 2021 EPSS Score
Jun 23, 2021 EPSS Score
Aug 24, 2021 EPSS Score
Dec 27, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 28, 2022 EPSS Score
May 1, 2022 EPSS Score
Jul 3, 2022 EPSS Score
Sep 4, 2022 EPSS Score
Nov 6, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2020-17353 third-party-advisory
http://git.savannah.gnu.org/gitweb/?p=lilypond.git;a=commit;h=b84ea4740f3279516905c5db05f4074e777c16ff third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-17353 third-party-advisory

Open in Interactive Console →