ByteOS Network

NVD Vulnerability Details :

CVE-2020-17354

Modified

Source-cve@mitre.org

Published At-15 Apr, 2023 | 22:15

Updated At-06 Feb, 2025 | 17:15

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.6	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Secondary	3.1	8.6	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 8.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CPE Matches

lilypond>>lilypond>>Versions before 2.24.0(exclusive)

cpe:2.3:a:lilypond:lilypond:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-863	Primary	nvd@nist.gov
CWE-863	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-863

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-863

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage	cve@mitre.org	Release Notes
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522	cve@mitre.org	Patch Vendor Advisory
https://lilypond.org/download.html	cve@mitre.org	Product
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/	cve@mitre.org	N/A
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/	cve@mitre.org	N/A
https://phabricator.wikimedia.org/T259210	cve@mitre.org	Exploit Third Party Advisory
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/	cve@mitre.org	Mailing List Release Notes Third Party Advisory
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory	cve@mitre.org	Third Party Advisory
http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage	af854a3a-2127-422b-91ae-364da2661108	Release Notes
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522	af854a3a-2127-422b-91ae-364da2661108	Patch Vendor Advisory
https://lilypond.org/download.html	af854a3a-2127-422b-91ae-364da2661108	Product
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/	af854a3a-2127-422b-91ae-364da2661108	N/A
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/	af854a3a-2127-422b-91ae-364da2661108	N/A
https://phabricator.wikimedia.org/T259210	af854a3a-2127-422b-91ae-364da2661108	Exploit Third Party Advisory
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/	af854a3a-2127-422b-91ae-364da2661108	Mailing List Release Notes Third Party Advisory
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory	af854a3a-2127-422b-91ae-364da2661108	Third Party Advisory