VDB
CVE-2020-17354
CVE-2020-17354
PUBLISHED
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.
EPSS 0.06% · 20.0th percentile
Risk Scores
EPSS Score
0.06%
20.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | lilypond | 2.19.81+really-2.18.2-13ubuntu2, 2.19.81+really-2.18.2-13ubuntu1, 0 |
| Ubuntu:16.04:LTS | lilypond | 0, 2.18.2-4, 2.18.2-4.1 |
| Ubuntu:18.04:LTS | lilypond | 2.18.2-12build1, 2.18.2-12, 2.18.2-11 |
Timeline
- Apr 15, 2023 CVE Published
- Apr 16, 2023 EPSS Score
- May 24, 2023 EPSS Score
- Jun 30, 2023 EPSS Score
- Aug 7, 2023 EPSS Score
- Sep 13, 2023 EPSS Score
- Oct 21, 2023 EPSS Score
- Nov 27, 2023 EPSS Score
- Jan 4, 2024 EPSS Score
- Feb 10, 2024 EPSS Score
- Mar 19, 2024 EPSS Score
- Apr 25, 2024 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-17354 third-party-advisory
- https://phabricator.wikimedia.org/T259210 third-party-advisory
- https://phabricator.wikimedia.org/T257062 third-party-advisory
- https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-17354 third-party-advisory