cbcvebase.
CVE-2015-8557
published 2016-01-08

CVE-2015-8557: The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via…

PriorityP264critical9CVSS 3.0
AVNACHPRNUINSCCHIHAH
EPSS
6.66%
93.1th percentile
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

Affected

18 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianpygments< pygments 2.0.1+dfsg-2 (bookworm)pygments 2.0.1+dfsg-2 (bookworm)
pygmentspygments
pygmentspygments
pygmentspygments
pygmentspygments
pygmentspygments
pygmentspygments
pygmentspygments
pygmentspygments
pygmentspygments>= 0 < 2.0.1+dfsg-22.0.1+dfsg-2
pygmentspygments>= 0 < 2.0.1+dfsg-22.0.1+dfsg-2
pygmentspygments>= 0 < 2.0.1+dfsg-22.0.1+dfsg-2
pygmentspygments>= 0 < 2.0.1+dfsg-22.0.1+dfsg-2
pygmentspygments>= 1.2.2 < 2.12.1

Detection & IOCsextracted from sources · hover to see the quote

pathformatters/img.py
commandfc-list "%s:style=%s" file
  • Shell injection via unsanitized font name passed to getstatusoutput(); monitor for shell metacharacters (e.g. `;`, `|`, `$()`, backticks) in font name arguments supplied to Pygments ImageFormatter.
  • Monitor for unexpected child processes spawned by fc-list (e.g. via getstatusoutput) that include shell metacharacters or additional commands in their argument list, indicating exploitation of the font name injection.
  • Exploitation requires use of Pygments image formatters with attacker-controlled font name input; triage any application exposing Pygments ImageFormatter options to untrusted users.
  • ·Vulnerability only triggers on NIX systems where the image formatter code path is reachable and the attacker can control the font name option passed to ImageFormatter.
  • ·Affected Pygments versions are 1.2.2 through 2.0.2; the fix was introduced in patched builds (e.g. 2.0.1+dfsg-2 on Debian, 2.0.2-3 on Fedora).

CVSS provenance

nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.0CRITICAL
vendor_debian9.0CRITICAL
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.