Amazon Linux AMI : python-pygments (ALAS-2015-630)

critical Nessus Plugin ID 87379

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.

Solution

Run 'yum update python-pygments' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2015-630.html

Plugin Details

Severity: Critical

ID: 87379

File Name: ala_ALAS-2015-630.nasl

Version: 2.6

Type: local

Agent: unix

Published: 12/16/2015

Updated: 9/4/2018

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:python26-pygments, p-cpe:/a:amazon:linux:python27-pygments, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 12/14/2015

Reference Information

CVE: CVE-2015-8557

ALAS: 2015-630