Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2020-17354
CVE-2020-17354:
NixOS vulnerability analysis and mitigation
Overview
LilyPond before version 2.24 contained a vulnerability that allowed attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope functions. The vulnerability enabled arbitrary code execution during file format conversion through dangerous Scheme code in .ly files. Notably, in version 2.24 and later, safe mode was completely removed as the product no longer attempts to block code execution when external files are used (NVD, Debian Tracker).
Technical details
The vulnerability exploited two main functions in LilyPond's implementation: output-def-lookup and output-def-scope. These functions provided access to a module object created by the parser outside the sandbox, inheriting all top-level bindings and giving access to all Scheme functions outside the sandbox. The vulnerability received a CVSS v3.1 Base Score of 8.6 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD, Phabricator).
Impact
The vulnerability allowed attackers to execute arbitrary code on the system by bypassing LilyPond's safe mode protections. This was particularly concerning for web servers that provided LilyPond formatting capabilities, as it could lead to remote code execution. The impact was severe enough that Wikimedia disabled the Score extension on their platforms in July 2020 (MediaWiki).
Mitigation and workarounds
The ultimate solution was implemented in LilyPond 2.24, which removed the safe mode entirely rather than attempting to maintain a broken security feature. For systems that must process untrusted LilyPond files, it is recommended to use additional sandboxing measures such as running LilyPond in a restricted environment. Wikimedia implemented isolation using Shellbox for their Score extension. It's recommended to only enable Score and LilyPond on wikis where all users with editing privileges are trusted, or when proper containment mechanisms are in place (MediaWiki, Debian Tracker).
Community reactions
The vulnerability led to significant changes in how LilyPond's security was perceived and handled. Debian added explicit security warnings about LilyPond's insecurity for external data files in their documentation. Wikimedia temporarily disabled their Score extension and later re-enabled it with additional security measures. The LilyPond developers ultimately decided to remove the safe mode feature entirely, acknowledging that it was better not to promise security that couldn't be delivered (Phabricator, MediaWiki).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management