CVE-2020-15167 Arbitrary code execution via configuration file in Miller

2020-09-0217:55:12

CWE-94

GitHub_M

www.cve.org

cve-2020-15167

arbitrary code execution

miller 5.9.0

.mlrrc file

github security advisory

miller 5.9.1

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.002

Percentile

51.9%

JSON

In Miller (command line utility) using the configuration file support introduced in version 5.9.0, it is possible for an attacker to cause Miller to run arbitrary code by placing a malicious .mlrrc file in the working directory. See linked GitHub Security Advisory for complete details. A fix is ready and will be released as Miller 5.9.1.

CNA Affected

[
  {
    "product": "miller",
    "vendor": "johnkerl",
    "versions": [
      {
        "status": "affected",
        "version": "= 5.9.0"
      }
    ]
  }
]