Lilypond
By the Year
In 2024 there have been 0 vulnerabilities in Lilypond . Last year Lilypond had 1 security vulnerability published. Right now, Lilypond is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 1 | 8.60 |
2022 | 0 | 0.00 |
2021 | 0 | 0.00 |
2020 | 1 | 9.80 |
2019 | 0 | 0.00 |
2018 | 1 | 9.80 |
It may take a day or so for new Lilypond vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Lilypond Security Vulnerabilities
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file
CVE-2020-17354
8.6 - High
- April 15, 2023
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.
AuthZ
scm/define-stencil-commands.scm in LilyPond through 2.20.0
CVE-2020-17353
9.8 - Critical
- August 05, 2020
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which
CVE-2018-10992
9.8 - Critical
- May 11, 2018
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.
Argument Injection