Arbitrary Command Injection

Affecting pygments package, versions [1.2.2,2.0.2]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

pygments is a syntax highlighting package written in Python.

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

References

CVSS Score

9.0
critical severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2015-8557
CWE
CWE-78
Snyk ID
SNYK-PYTHON-PYGMENTS-40362
Disclosed
21 Aug, 2015
Published
21 Aug, 2015