#VU33604 OS Command Injection - CVE-2015-8557

Cybersecurity Help s.r.o.

Published: 2016-01-08 | Updated: 2020-08-04

Vulnerability identifier: #VU33604

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2015-8557

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

Mitigation
Install update from vendor's website.

External links
https://packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.html
https://seclists.org/fulldisclosure/2015/Oct/4
https://www.debian.org/security/2016/dsa-3445
https://www.openwall.com/lists/oss-security/2015/12/14/17
https://www.openwall.com/lists/oss-security/2015/12/14/6
https://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
https://www.ubuntu.com/usn/USN-2862-1
https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diff
https://security.gentoo.org/glsa/201612-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Pygments

OS Command Injection in py-pygments (Alpine package)

Fedora 22 update for python-pygments

Amazon Linux AMI update for python-pygments

Fedora 22 update for python-pygments

Fedora 23 update for python-pygments