CVE-2020-15271

In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
GitHub_MCNA
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
VendorProductVersion
lookatme_projectlookatme
𝑥
< 2.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lookatme
bullseye
2.3.0-1
fixed
bookworm
2.5.4-1
fixed
sid
2.5.4-3
fixed
trixie
2.5.4-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lookatme
groovy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84
https://github.com/d0c-s4vage/lookatme/pull/110
https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0
https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q
https://pypi.org/project/lookatme/#history
https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84
https://github.com/d0c-s4vage/lookatme/pull/110
https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0
https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q
https://pypi.org/project/lookatme/#history