CVE-2015-8557 — OS Command Injection in Pygments

CWE-78 — OS Command Injection CWE-77 — Command Injection9 documents7 sources

Severity

9.0CRITICALNVD

EPSS

5.7%

top 9.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pygments Debian Pygments Canonical Ubuntu Linux

Timeline

PublishedJan 8

Latest updateMay 17

Description

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages4 packages

▶debiandebian/pygments< pygments 2.0.1+dfsg-2 (bookworm)

▶PyPIpygments/pygments1.2.2 — 2.1

▶Debianpygments/pygments< 2.0.1+dfsg-2+3

▶NVDpygments/pygments8 versions+7

Also affects: Ubuntu Linux 12.04, 14.04, 15.04, 15.10

🔴Vulnerability Details

OSV

Command Injection in Pygments↗2022-05-17

▶

GHSA

Command Injection in Pygments↗2022-05-17

▶

OSV

CVE-2015-8557: The FontManager↗2016-01-08

▶

📋Vendor Advisories

Ubuntu

Pygments vulnerability↗2016-01-07

▶

Red Hat

python-pygments: Shell injection in FontManager._get_nix_font_path↗2015-09-28

▶

Debian

CVE-2015-8557: pygments - The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2...↗2015

▶

💬Community

Bugzilla

CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path↗2015-10-29

▶

Bugzilla

CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path [fedora-all]↗2015-10-29

▶