DEBIAN-CVE-2015-20107

DEBIAN-CVE-2015-20107 PUBLISHED CVSS 7.599999904632568 HIGH

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Risk Scores

CVSS v3.1

7.599999904632568

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Affected Products

Vendor	Product	Versions
Debian:12	pypy3	0, 0, 0
Debian:11	pypy3	*, 7.3.14+dfsg-1, 7.3.15+dfsg-1
Debian:13	pypy3	0, 0, 0
Debian:11	python2.7	2.7.18-13.2, 2.7.18-8, 2.7.18-8
Debian:14	pypy3	0, 0, 0
Debian:11	python3.9	0, 3.9.2-1, 3.9.2-1+deb11u1

Timeline

Apr 13, 2022 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2015-20107 advisory

Open in Interactive Console →