VIR Vulnerability Intelligence Relay

CVE-2015-8557

critical
Published 2016-01-08 · Modified 2023-11-08
CVSS v3
9.0
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v2
9.3
VIR risk
9.0

Description

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

Predictions

Exploit likelihood
93%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-8557

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diff

OS impact
OSVersionStatusFixed in
ubuntu ubuntu12.04affected
ubuntu ubuntu14.04affected
ubuntu ubuntu15.04affected
ubuntu ubuntu15.10affected
debian debianbookwormfixed2.0.1+dfsg-2
debian debianbullseyefixed2.0.1+dfsg-2
debian debianforkyfixed2.0.1+dfsg-2
debian debiansidfixed2.0.1+dfsg-2
debian debiantrixiefixed2.0.1+dfsg-2

Package impact
EcosystemPackageVulnerableFixed
python PyPIpygments>=1.2.2,<2.12.1

Application impact
VendorProductVersionsFixed
pygmentspygments1.2.2
pygmentspygments1.3
pygmentspygments1.3.1
pygmentspygments1.4
pygmentspygments1.5
pygmentspygments1.6
pygmentspygments2.0
pygmentspygments2.0.1

References

CWEs

CWE-78

Verify integrity in audit chain (admin only). AS-IS.