Vulnerability Details CVE-2020-17353
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.013
EPSS Ranking 78.6%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00076.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2JYMVLTPSNYS5F7TBHKIXUZZJIJAMRX/
- https://www.debian.org/security/2020/dsa-4756
- http://git.savannah.gnu.org/gitweb/?p=lilypond.git%3Ba=commit%3Bh=b84ea4740f3279516905c5db05f4074e777c16ff
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00076.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QG2JUV4UTIA27JUE6IZLCEFP5PYSFPF4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2JYMVLTPSNYS5F7TBHKIXUZZJIJAMRX/
- https://www.debian.org/security/2020/dsa-4756
Products affected by CVE-2020-17353
-
cpe:2.3:a:lilypond:lilypond:2.10.0
-
cpe:2.3:a:lilypond:lilypond:2.10.33
-
cpe:2.3:a:lilypond:lilypond:2.12.0
-
cpe:2.3:a:lilypond:lilypond:2.12.3
-
cpe:2.3:a:lilypond:lilypond:2.14.0
-
cpe:2.3:a:lilypond:lilypond:2.14.2
-
cpe:2.3:a:lilypond:lilypond:2.16.0
-
cpe:2.3:a:lilypond:lilypond:2.16.1
-
cpe:2.3:a:lilypond:lilypond:2.16.2
-
cpe:2.3:a:lilypond:lilypond:2.18.0
-
cpe:2.3:a:lilypond:lilypond:2.18.2
-
cpe:2.3:a:lilypond:lilypond:2.19.0
-
cpe:2.3:a:lilypond:lilypond:2.19.10
-
cpe:2.3:a:lilypond:lilypond:2.19.12
-
cpe:2.3:a:lilypond:lilypond:2.19.14
-
cpe:2.3:a:lilypond:lilypond:2.19.16
-
cpe:2.3:a:lilypond:lilypond:2.19.18
-
cpe:2.3:a:lilypond:lilypond:2.19.2
-
cpe:2.3:a:lilypond:lilypond:2.19.20
-
cpe:2.3:a:lilypond:lilypond:2.19.22
-
cpe:2.3:a:lilypond:lilypond:2.19.24
-
cpe:2.3:a:lilypond:lilypond:2.19.26
-
cpe:2.3:a:lilypond:lilypond:2.19.28
-
cpe:2.3:a:lilypond:lilypond:2.19.30
-
cpe:2.3:a:lilypond:lilypond:2.19.32
-
cpe:2.3:a:lilypond:lilypond:2.19.34
-
cpe:2.3:a:lilypond:lilypond:2.19.36
-
cpe:2.3:a:lilypond:lilypond:2.19.38
-
cpe:2.3:a:lilypond:lilypond:2.19.4
-
cpe:2.3:a:lilypond:lilypond:2.19.40
-
cpe:2.3:a:lilypond:lilypond:2.19.42
-
cpe:2.3:a:lilypond:lilypond:2.19.44
-
cpe:2.3:a:lilypond:lilypond:2.19.46
-
cpe:2.3:a:lilypond:lilypond:2.19.48
-
cpe:2.3:a:lilypond:lilypond:2.19.50
-
cpe:2.3:a:lilypond:lilypond:2.19.52
-
cpe:2.3:a:lilypond:lilypond:2.19.54
-
cpe:2.3:a:lilypond:lilypond:2.19.56
-
cpe:2.3:a:lilypond:lilypond:2.19.58
-
cpe:2.3:a:lilypond:lilypond:2.19.6
-
cpe:2.3:a:lilypond:lilypond:2.19.60
-
cpe:2.3:a:lilypond:lilypond:2.19.61
-
cpe:2.3:a:lilypond:lilypond:2.19.62
-
cpe:2.3:a:lilypond:lilypond:2.19.63
-
cpe:2.3:a:lilypond:lilypond:2.19.64
-
cpe:2.3:a:lilypond:lilypond:2.19.65
-
cpe:2.3:a:lilypond:lilypond:2.19.8
-
cpe:2.3:a:lilypond:lilypond:2.19.80
-
cpe:2.3:a:lilypond:lilypond:2.19.81
-
cpe:2.3:a:lilypond:lilypond:2.19.82
-
cpe:2.3:a:lilypond:lilypond:2.19.83
-
cpe:2.3:a:lilypond:lilypond:2.19.84
-
cpe:2.3:a:lilypond:lilypond:2.20.0
-
cpe:2.3:a:lilypond:lilypond:2.21.0
-
cpe:2.3:a:lilypond:lilypond:2.21.1
-
cpe:2.3:a:lilypond:lilypond:2.21.2
-
cpe:2.3:a:lilypond:lilypond:2.21.3
-
cpe:2.3:a:lilypond:lilypond:2.21.4
-
cpe:2.3:a:lilypond:lilypond:2.8.0
-
cpe:2.3:a:lilypond:lilypond:2.8.8
-
cpe:2.3:a:opensuse:backports_sle:15.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:fedoraproject:fedora:31
-
cpe:2.3:o:fedoraproject:fedora:32
-
cpe:2.3:o:opensuse:leap:15.2