CVE-2020-15167

In Miller (command line utility) using the configuration file support introduced in version 5.9.0, it is possible for an attacker to cause Miller to run arbitrary code by placing a malicious .mlrrc file in the working directory. See linked GitHub Security Advisory for complete details. A fix is ready and will be released as Miller 5.9.1.

References

https://github.com/johnkerl/miller/security/advisories/GHSA-mw2v-4q78-j2cw

Affected packages

Git / github.com/johnkerl/miller

Affected ranges

Type

GIT

Repo

https://github.com/johnkerl/miller

Events

Introduced

Last affected

640af6eb1c1c1b9680567a269da033790ccc3f04

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.9.0"
        }
    ]
}

Affected versions

5.*

5.3.0

5.4.0

v1.*

v1.0.0

v1.0.1

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.1.1

v3.1.2

v3.2.2

v3.3.2

v3.4.0

v3.5.0

v4.*

v4.0.0

v4.1.0

v4.2.0

v4.3.0

v4.4.0

v4.5.0

v5.*

v5.0.0

v5.0.1

v5.1.0

v5.1.0w

v5.2.0

v5.2.1

v5.2.2

v5.3.0

v5.5.0

v5.6.0

v5.6.1

v5.6.2

v5.7.0

v5.8.0

v5.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15167.json"