Python 命令注入漏洞（CVE-2015-20107）

admin

0
文章

0
评论

2023-11-30 08:13:39 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 Python 命令注入漏洞（CVE-2015-20107）

CVE编号

CVE-2015-20107

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-04-14

漏洞描述

Python是Python基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。 Python 3.10.8 版本及之前版本存在安全漏洞，该漏洞源于 mailcap 模块不会将转义字符添加到系统 mailcap 文件中发现的命令中。

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://bugs.python.org/issue24778
https://github.com/python/cpython/issues/68966
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20220616-0001/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	python	python	*		Up to (excluding) 3.10.8
	运行在以下环境
	系统	alpine_3.17	python3	*		Up to (excluding) 3.10.5-r0
	运行在以下环境
	系统	alpine_3.18	python3	*		Up to (excluding) 3.10.5-r0
	运行在以下环境
	系统	alpine_edge	python3	*		Up to (excluding) 3.10.5-r0
	运行在以下环境
	系统	anolis_os_8	python3-idle	*		Up to (excluding) 3.6.8-47.0.1
	运行在以下环境
	系统	centos_8	python3-debugsource	*		Up to (excluding) 3.6.8-47.el8_6
	运行在以下环境
	系统	debian_10	python2.7	*		Up to (excluding) 2.7.16-2+deb10u2
	运行在以下环境
	系统	debian_11	python2.7	*		Up to (including) 2.7.18-8+deb11u1
	运行在以下环境
	系统	debian_12	python2.7	*		Up to (including) 2.7.18-13.2
	运行在以下环境
	系统	debian_9	python2.7	*		Up to (including) 2.7.13-2+deb9u3
	运行在以下环境
	系统	debian_sid	python3.10	*		Up to (excluding) 3.10.6-1
	运行在以下环境
	系统	fedora_35	python3.9-debugsource	*		Up to (excluding) 3.10.5-2.fc35
	运行在以下环境
	系统	fedora_36	python3.9-debuginfo	*		Up to (excluding) 3.10.5-2.fc36
	运行在以下环境
	系统	fedora_37	python3.9-debuginfo	*		Up to (excluding) 3.10.5-2.fc37
	运行在以下环境
	系统	fedora_39	pypy3.10-devel	*		Up to (excluding) 7.3.12-1.3.10.fc39
	运行在以下环境
	系统	fedora_40	pypy3.10-devel	*		Up to (excluding) 7.3.12-1.3.10.fc40
	运行在以下环境
	系统	kylinos_aarch64_V10	python3	*		Up to (excluding) 3.7.9-18.se.05.p03.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	python3	*		Up to (excluding) 3.7.9-20.p02.se.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	python3	*		Up to (excluding) 3.7.9-20.p02.se.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP3	python3	*		Up to (excluding) 3.7.9-18.se.04.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	python3	*		Up to (excluding) 3.7.9-7.p08.se.a.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP3	python3	*		Up to (excluding) 3.7.9-18.se.03.p04.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	python3	*		Up to (excluding) 3.7.9-18.se.05.p03.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	python3	*		Up to (excluding) 3.7.9-20.p02.se.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	python3	*		Up to (excluding) 3.7.9-20.p02.se.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP3	python3	*		Up to (excluding) 3.7.9-18.se.05.p03.ky10
	运行在以下环境
	系统	opensuse_5.2	libpython3_6m1_0	*		Up to (excluding) 3.6.15-150300.10.27.1
	运行在以下环境
	系统	opensuse_Leap_15.3	python3-tools	*		Up to (excluding) 3.9.13-150300.4.13.1
	运行在以下环境
	系统	opensuse_Leap_15.4	python3-tools	*		Up to (excluding) 3.10.5-150400.4.7.1
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 1.3.7-31.module+el8.5.0+20361+8a9d3d27
	运行在以下环境
	系统	oracle_9	oraclelinux-release	*		Up to (excluding) 3.9.14-1.el9
	运行在以下环境
系统	redhat_8	python3-debugsource	*		Up to (excluding) 3.6.8-47.el8_6
运行在以下环境
系统	redhat_9	python3.9-debugsource	*		Up to (excluding) 3.9.14-1.el9
运行在以下环境
系统	suse_12_SP5	python36	*		Up to (excluding) 2.7.18-33.11.1
运行在以下环境
系统	ubuntu_18.04	python3.8	*		Up to (excluding) 3.6.9-1~18.04ubuntu1.8
运行在以下环境
系统	ubuntu_20.04	python3.8	*		Up to (excluding) 3.8.10-0ubuntu1~20.04.5
运行在以下环境
系统	ubuntu_21.10	python3.9	*		Up to (excluding) 3.9.7-2ubuntu0.1
运行在以下环境
系统	ubuntu_22.04	python3.10	*		Up to (excluding) 2.7.18-13ubuntu1.1
运行在以下环境
系统	ubuntu_22.10	python2.7	*		Up to (excluding) 2.7.18-13ubuntu2