CVE-2020-15167 HIGH

CVE-2020-15167: Arbitrary code execution via configuration file in Miller

Vendor Johnkerl
Product miller
Weakness CWE-94 · Code injection
Published September 2, 2020
Last update August 4, 2024

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

In Miller (command line utility) using the configuration file support introduced in version 5.9.0, it is possible for an attacker to cause Miller to run arbitrary code by placing a malicious `.mlrrc` file in the working directory. See linked GitHub Security Advisory for complete details. A fix is ready and will be released as Miller 5.9.1.

Key dates

02Disclosure timeline

September 2, 2020 CVE published
August 4, 2024 Record updated