CVE-2020-15271 - Vulnerability Details - OpenCVE

In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lookatme Project	Lookatme

Configuration 1 [-]

cpe:2.3:a:lookatme_project:lookatme:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84
https://github.com/d0c-s4vage/lookatme/pull/110
https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0
https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q
https://pypi.org/project/lookatme/#history

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-10-26T18:10:36

Updated: 2024-08-04T13:15:19.024Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15271

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-10-26T18:15:14.480

Modified: 2024-11-21T05:05:14.360

Link: CVE-2020-15271

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "lookatme", "vendor": "d0c-s4vage", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "descriptions": [{"lang": "en", "value": "In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in \"terminal\" and \"file_loader\" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-26T18:10:36", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/lookatme/#history"}], "source": {"advisory": "GHSA-c84h-w6cr-5v8q", "discovery": "UNKNOWN"}, "title": "Shell Command Execution in lookatme", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15271", "STATE": "PUBLIC", "TITLE": "Shell Command Execution in lookatme"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "lookatme", "version": {"version_data": [{"version_value": "< 2.3.0"}]}}]}, "vendor_name": "d0c-s4vage"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in \"terminal\" and \"file_loader\" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q", "refsource": "CONFIRM", "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"name": "https://github.com/d0c-s4vage/lookatme/pull/110", "refsource": "MISC", "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"name": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84", "refsource": "MISC", "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"name": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0", "refsource": "MISC", "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"name": "https://pypi.org/project/lookatme/#history", "refsource": "MISC", "url": "https://pypi.org/project/lookatme/#history"}]}, "source": {"advisory": "GHSA-c84h-w6cr-5v8q", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:15:19.024Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/lookatme/#history"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15271", "datePublished": "2020-10-26T18:10:36", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:15:19.024Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lookatme_project:lookatme:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD795181-94C0-4D6E-BD09-B2F5B2D6A584", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in \"terminal\" and \"file_loader\" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme."}, {"lang": "es", "value": "En lookatme (paquete python/pypi) versiones anteriores a 2.3.0, el paquete cargaba autom\u00e1ticamente las extensiones integradas \"terminal\" y \"file_loader\". Los usuarios que usan lookatme para renderizar rebajas que no son de confianza pueden ejecutar comandos de shell maliciosos autom\u00e1ticamente en su sistema. Esto es corregido en la versi\u00f3n 2.3.0. Como soluci\u00f3n alternativa, los archivos \"lookatme/contrib/terminal.py\" y \"lookatme/contrib/file_loader.py\" pueden ser eliminados manualmente. Adem\u00e1s, es siempre recomendado estar al tanto de lo que se est\u00e1 renderizando con lookatme"}], "id": "CVE-2020-15271", "lastModified": "2024-11-21T05:05:14.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-26T18:15:14.480", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://pypi.org/project/lookatme/#history"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://pypi.org/project/lookatme/#history"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}