CVE-2015-20107

Updated: 2026-02-20 04:38:49.008646

Description:

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x HIGH 8.0
CVSS Version 3.x HIGH 7.6

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
Alpine Linux 3.22 python 3.9 7.6 HIGH Not Vulnerable 2026-02-02 14:29:45 Not affected: the deployed CPython version is 3.9.23, which already includes the upstream fix for th...
Alpine Linux 3.22 python 3.7 7.6 HIGH Not Vulnerable 2026-02-16 14:39:52 Not affected: the deployed CPython version is 3.9.23, which already includes the upstream fix for th...
Alpine Linux 3.22 python 3.8 7.6 HIGH Not Vulnerable 2026-02-07 04:07:31 Not affected: the deployed CPython version is 3.9.23, which already includes the upstream fix for th...
Alpine Linux 3.22 python 3.6 7.6 HIGH In Testing 2026-02-20 19:11:29 Not affected: the deployed CPython version is 3.9.23, which already includes the upstream fix for th...
Debian 10 python 3.6 7.6 HIGH In Testing 2026-02-20 19:11:33
Debian 10 python 2.7 7.6 HIGH In Testing 2026-02-20 19:11:31
Debian 11 python 2.7 7.6 HIGH In Testing 2026-02-20 19:11:30
Debian 11 python 3.6 7.6 HIGH In Testing 2026-02-20 19:11:32
Debian 12 python 3.9 7.6 HIGH Not Vulnerable 2025-12-05 14:56:39 Not affected: the deployed CPython version is 3.9.23, which already includes the upstream fix for th...
Debian 12 python 3.7 7.6 HIGH Not Vulnerable 2025-11-12 16:12:12 Not affected: the deployed CPython version is 3.9.23, which already includes the upstream fix for th...
Total: 36