CVE-2020-15271 – lookatme

Package

Manager: pip
Name: lookatme
Vulnerable Version: >=0 <2.3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00356 pctl0.57101

Details

Markdown-supplied Shell Command Execution ### Impact lookatme versions prior to 2.3.0 automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. ### Patches Users should upgrade to lookatme versions 2.3.0 or above. ### Workarounds The `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme. ### References * https://github.com/d0c-s4vage/lookatme/pull/110 * https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0 ### For more information If you have any questions or comments about this advisory: * Open an issue in [d0c-s4vage/lookatme](https://github.com/d0c-s4vage/lookatme)

Metadata

Created: 2020-10-27T17:59:54Z
Modified: 2024-09-30T20:15:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-c84h-w6cr-5v8q/GHSA-c84h-w6cr-5v8q.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-c84h-w6cr-5v8q
Finding: F004
Auto approve: 1