REDHAT-BUG-2075390: Command Injection
First published: Thu Apr 14 2022(Updated: )
A command injection vulnerability was found in Python 2.x and 3.x, specifically within the mailcap module. Mailcap core-module is based on the format documented in RFC 1524. The “findmatch()” function does not sanitise the second argument (filename). As a result, the legitimate command (that is used for opening the specified mime type) is concatenated with an arbitrary command, injected by an attacker.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Python Babel Localedata | >=2.0<=3.x |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/python/cpython/issues/68966
- https://bugs.python.org/issue24778
- https://mail.python.org/archives/list/security-announce@python.org/thread/QDSXNCW77UGULFG2JMDFZQ7H4DIR32LA/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076508
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076509
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076510
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076511
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076512
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076513
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076514
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076515
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076516
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076507
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076526
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076533
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076530
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076531
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076532
- https://github.com/python/cpython/pull/91993
- https://access.redhat.com/errata/RHSA-2022:6457
- https://access.redhat.com/errata/RHSA-2022:6766
- https://access.redhat.com/errata/RHSA-2022:7581
- https://access.redhat.com/errata/RHSA-2022:7592
- https://access.redhat.com/errata/RHSA-2022:7593
- https://access.redhat.com/errata/RHSA-2022:8353
- https://access.redhat.com/security/cve/cve-2015-20107
- https://bugzilla.redhat.com/show_bug.cgi?id=2075390
Frequently Asked Questions
What is the severity of REDHAT-BUG-2075390?
The severity of REDHAT-BUG-2075390 is classified as high due to the potential for command injection.
How do I fix REDHAT-BUG-2075390?
To fix REDHAT-BUG-2075390, you should update to the latest version of Python that addresses this vulnerability.
What versions of Python are affected by REDHAT-BUG-2075390?
REDHAT-BUG-2075390 affects Python versions from 2.0 to 3.x.
What component of Python is vulnerable in REDHAT-BUG-2075390?
The vulnerable component in REDHAT-BUG-2075390 is the mailcap module, specifically the findmatch() function.
Can REDHAT-BUG-2075390 lead to remote code execution?
Yes, if exploited, REDHAT-BUG-2075390 can potentially lead to remote code execution through command injection.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-20107
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/python
- canonical/python babel localedata