CVE-2020-15271
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
26/10/2020
Last modified:
13/11/2020
Description
In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
9.30
Severity 2.0
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:lookatme_project:lookatme:*:*:*:*:*:*:*:* | 2.3.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84
- https://github.com/d0c-s4vage/lookatme/pull/110
- https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0
- https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q
- https://pypi.org/project/lookatme/#history