CVE-2020-15271 - OpenCVE

In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Lookatme Project	Lookatme

Configuration 1 [-]

cpe:2.3:a:lookatme_project:lookatme:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84	Patch Third Party Advisory
https://github.com/d0c-s4vage/lookatme/pull/110	Exploit Third Party Advisory
https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0	Release Notes Third Party Advisory
https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q	Third Party Advisory
https://pypi.org/project/lookatme/#history	Release Notes Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-10-26T18:10:36

Updated: 2020-10-26T18:10:36

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15271

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-10-26T18:15:14.480

Modified: 2020-11-13T16:40:26.490

Link: CVE-2020-15271

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "lookatme", "vendor": "d0c-s4vage", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "descriptions": [{"lang": "en", "value": "In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in \"terminal\" and \"file_loader\" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-26T18:10:36", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/lookatme/#history"}], "source": {"advisory": "GHSA-c84h-w6cr-5v8q", "discovery": "UNKNOWN"}, "title": "Shell Command Execution in lookatme", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15271", "STATE": "PUBLIC", "TITLE": "Shell Command Execution in lookatme"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "lookatme", "version": {"version_data": [{"version_value": "< 2.3.0"}]}}]}, "vendor_name": "d0c-s4vage"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in \"terminal\" and \"file_loader\" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q", "refsource": "CONFIRM", "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"name": "https://github.com/d0c-s4vage/lookatme/pull/110", "refsource": "MISC", "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"name": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84", "refsource": "MISC", "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"name": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0", "refsource": "MISC", "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"name": "https://pypi.org/project/lookatme/#history", "refsource": "MISC", "url": "https://pypi.org/project/lookatme/#history"}]}, "source": {"advisory": "GHSA-c84h-w6cr-5v8q", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15271", "datePublished": "2020-10-26T18:10:36", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-10-26T18:10:36", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lookatme_project:lookatme:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD795181-94C0-4D6E-BD09-B2F5B2D6A584", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in \"terminal\" and \"file_loader\" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme."}, {"lang": "es", "value": "En lookatme (paquete python/pypi) versiones anteriores a 2.3.0, el paquete cargaba autom\u00e1ticamente las extensiones integradas \"terminal\" y \"file_loader\". Los usuarios que usan lookatme para renderizar rebajas que no son de confianza pueden ejecutar comandos de shell maliciosos autom\u00e1ticamente en su sistema. Esto es corregido en la versi\u00f3n 2.3.0. Como soluci\u00f3n alternativa, los archivos \"lookatme/contrib/terminal.py\" y \"lookatme/contrib/file_loader.py\" pueden ser eliminados manualmente. Adem\u00e1s, es siempre recomendado estar al tanto de lo que se est\u00e1 renderizando con lookatme"}], "id": "CVE-2020-15271", "lastModified": "2020-11-13T16:40:26.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-10-26T18:15:14.480", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/pull/110"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://pypi.org/project/lookatme/#history"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}