{"id":"CVE-2020-17354","details":"LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.","modified":"2026-03-15T14:38:33.672734Z","published":"2023-04-15T22:15:06.913Z","related":["MGASA-2023-0325","openSUSE-SU-2023:0137-1"],"references":[{"type":"WEB","url":"https://lilypond.org/download.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/"},{"type":"ADVISORY","url":"http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage"},{"type":"ADVISORY","url":"https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/"},{"type":"ADVISORY","url":"https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory"},{"type":"FIX","url":"https://gitlab.com/lilypond/lilypond/-/merge_requests/1522"},{"type":"EVIDENCE","url":"https://phabricator.wikimedia.org/T259210"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lilypond/lilypond","events":[{"introduced":"0"},{"fixed":"8b6ece6ad261c2e3d87dd66f0eee645cc1e56b81"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.24.0"}]}}],"versions":["branch_2_0","commit_to_build","cvs/HEAD","cvs/start","git/start","pre-paper-layout","release/0.0.1","release/0.0.10","release/0.0.11","release/0.0.13","release/0.0.14","release/0.0.15","release/0.0.16","release/0.0.17","release/0.0.18","release/0.0.19","release/0.0.2","release/0.0.20","release/0.0.21","release/0.0.22","release/0.0.23","release/0.0.24","release/0.0.25","release/0.0.26","release/0.0.27","release/0.0.28","release/0.0.29","release/0.0.3","release/0.0.30","release/0.0.31","release/0.0.32","release/0.0.33","release/0.0.34","release/0.0.35","release/0.0.36","release/0.0.37","release/0.0.38","release/0.0.39-1","release/0.0.4","release/0.0.40","release/0.0.41","release/0.0.42","release/0.0.42.pre3","release/0.0.43","release/0.0.44","release/0.0.45","release/0.0.46.jcn1","release/0.0.47","release/0.0.49","release/0.0.5","release/0.0.50","release/0.0.51","release/0.0.52","release/0.0.53","release/0.0.54","release/0.0.55","release/0.0.56","release/0.0.57","release/0.0.58","release/0.0.59","release/0.0.6","release/0.0.60","release/0.0.61","release/0.0.62","release/0.0.63","release/0.0.64","release/0.0.65","release/0.0.66","release/0.0.67","release/0.0.68pre","release/0.0.7","release/0.0.70pre","release/0.0.71pre","release/0.0.72pre","release/0.0.73pre","release/0.0.74pre","release/0.0.75","release/0.0.76","release/0.0.77.jcn1","release/0.0.78","release/0.0.8","release/0.0.9","release/0.1.0","release/0.1.1","release/0.1.10","release/0.1.11","release/0.1.12","release/0.1.13","release/0.1.14","release/0.1.15","release/0.1.16","release/0.1.17","release/0.1.18","release/0.1.19","release/0.1.20","release/0.1.21","release/0.1.22","release/0.1.23","release/0.1.24","release/0.1.25","release/0.1.26","release/0.1.27","release/0.1.28","release/0.1.29","release/0.1.30","release/0.1.31","release/0.1.32","release/0.1.33","release/0.1.34","release/0.1.35","release/0.1.36","release/0.1.37","release/0.1.38","release/0.1.39","release/0.1.41","release/0.1.42","release/0.1.43","release/0.1.44","release/0.1.45","release/0.1.46","release/0.1.47","release/0.1.48","release/0.1.49","release/0.1.50","release/0.1.51","release/0.1.52","release/0.1.53","release/0.1.54","release/0.1.55","release/0.1.56","release/0.1.57","release/0.1.58","release/0.1.59","release/0.1.60","release/0.1.61","release/0.1.62","release/0.1.63","release/0.1.64","release/0.1.65","release/0.1.7","release/0.1.8","release/0.1.9","release/1.0.1","release/1.0.10","release/1.0.11","release/1.0.12","release/1.0.13","release/1.0.14","release/1.0.15","release/1.0.16","release/1.0.17","release/1.0.2","release/1.0.3","release/1.0.4","release/1.0.6","release/1.0.7","release/1.0.8","release/1.0.9","release/1.1.0","release/1.1.1","release/1.1.10","release/1.1.13","release/1.1.14","release/1.1.15","release/1.1.16","release/1.1.17","release/1.1.18","release/1.1.19","release/1.1.2","release/1.1.20","release/1.1.21","release/1.1.22","release/1.1.23","release/1.1.24","release/1.1.25","release/1.1.26","release/1.1.27","release/1.1.28","release/1.1.29","release/1.1.3","release/1.1.30","release/1.1.31","release/1.1.32","release/1.1.33","release/1.1.34","release/1.1.35","release/1.1.36","release/1.1.37","release/1.1.38","release/1.1.39","release/1.1.4","release/1.1.40","release/1.1.41","release/1.1.42","release/1.1.43","release/1.1.44","release/1.1.45","release/1.1.46","release/1.1.47","release/1.1.48","release/1.1.49","release/1.1.5","release/1.1.50","release/1.1.51","release/1.1.52","release/1.1.53","release/1.1.54","release/1.1.55","release/1.1.56","release/1.1.57","release/1.1.58","release/1.1.59","release/1.1.6","release/1.1.60","release/1.1.61","release/1.1.62","release/1.1.63","release/1.1.64","release/1.1.65","release/1.1.66","release/1.1.67","release/1.1.68","release/1.1.69","release/1.1.7","release/1.1.8","release/1.1.9","release/1.2.0","release/1.2.1","release/1.2.10","release/1.2.11","release/1.2.12","release/1.2.13","release/1.2.14","release/1.2.15","release/1.2.2","release/1.2.3","release/1.2.4","release/1.2.5","release/1.2.6","release/1.2.7","release/1.2.8","release/1.2.9","release/1.3.0","release/1.3.1","release/1.3.10","release/1.3.100","release/1.3.101","release/1.3.102","release/1.3.103","release/1.3.104","release/1.3.105","release/1.3.106","release/1.3.107","release/1.3.108","release/1.3.109","release/1.3.11","release/1.3.110","release/1.3.111","release/1.3.112","release/1.3.113","release/1.3.114","release/1.3.115","release/1.3.116","release/1.3.117","release/1.3.118","release/1.3.119","release/1.3.12","release/1.3.120","release/1.3.121","release/1.3.122","release/1.3.123","release/1.3.124","release/1.3.125","release/1.3.126","release/1.3.127","release/1.3.128","release/1.3.129","release/1.3.13","release/1.3.130","release/1.3.131","release/1.3.132","release/1.3.133","release/1.3.134","release/1.3.135","release/1.3.136","release/1.3.137","release/1.3.138","release/1.3.139","release/1.3.14","release/1.3.140","release/1.3.141","release/1.3.142","release/1.3.143","release/1.3.144","release/1.3.145","release/1.3.146","release/1.3.147","release/1.3.148","release/1.3.149","release/1.3.15","release/1.3.150","release/1.3.151","release/1.3.152","release/1.3.153","release/1.3.154","release/1.3.16","release/1.3.17","release/1.3.18","release/1.3.19","release/1.3.2","release/1.3.20","release/1.3.21","release/1.3.22","release/1.3.23","release/1.3.24","release/1.3.25","release/1.3.26","release/1.3.27","release/1.3.28","release/1.3.29","release/1.3.3","release/1.3.30","release/1.3.31","release/1.3.32","release/1.3.33","release/1.3.34","release/1.3.35","release/1.3.36","release/1.3.37","release/1.3.38","release/1.3.39","release/1.3.4","release/1.3.40","release/1.3.41","release/1.3.42","release/1.3.43","release/1.3.44","release/1.3.45","release/1.3.46","release/1.3.47","release/1.3.48","release/1.3.49","release/1.3.5","release/1.3.50","release/1.3.51","release/1.3.52","release/1.3.53","release/1.3.54","release/1.3.55","release/1.3.56","release/1.3.57","release/1.3.58","release/1.3.59","release/1.3.6","release/1.3.60","release/1.3.61","release/1.3.62","release/1.3.63","release/1.3.64","release/1.3.65","release/1.3.66","release/1.3.67","release/1.3.68","release/1.3.69","release/1.3.7","release/1.3.70","release/1.3.71","release/1.3.72","release/1.3.73","release/1.3.74","release/1.3.75","release/1.3.76","release/1.3.77","release/1.3.78","release/1.3.79","release/1.3.8","release/1.3.80","release/1.3.81","release/1.3.82","release/1.3.83","release/1.3.84","release/1.3.85","release/1.3.86","release/1.3.87","release/1.3.88","release/1.3.89","release/1.3.9","release/1.3.90","release/1.3.91","release/1.3.92","release/1.3.93","release/1.3.94","release/1.3.95","release/1.3.96","release/1.3.97","release/1.3.98","release/1.3.99","release/1.4.0","release/1.4.1","release/1.4.2","release/1.4.3","release/1.4.4","release/1.5.0","release/1.5.1","release/1.5.10","release/1.5.11","release/1.5.12","release/1.5.13","release/1.5.14","release/1.5.15","release/1.5.16","release/1.5.17","release/1.5.18","release/1.5.19","release/1.5.2","release/1.5.20","release/1.5.21","release/1.5.22","release/1.5.23","release/1.5.24","release/1.5.25","release/1.5.26","release/1.5.27","release/1.5.28","release/1.5.29","release/1.5.3","release/1.5.30","release/1.5.31","release/1.5.32","release/1.5.33","release/1.5.34","release/1.5.35","release/1.5.36","release/1.5.37","release/1.5.38","release/1.5.39","release/1.5.4","release/1.5.40","release/1.5.41","release/1.5.42","release/1.5.43","release/1.5.44","release/1.5.45","release/1.5.46","release/1.5.47","release/1.5.48","release/1.5.49","release/1.5.5","release/1.5.50","release/1.5.51","release/1.5.52","release/1.5.53","release/1.5.54","release/1.5.55","release/1.5.56","release/1.5.57","release/1.5.58","release/1.5.6","release/1.5.61","release/1.5.62","release/1.5.63","release/1.5.64","release/1.5.65","release/1.5.66","release/1.5.67","release/1.5.68","release/1.5.69","release/1.5.7","release/1.5.70","release/1.5.72","release/1.5.73","release/1.5.74","release/1.5.8","release/1.5.9","release/1.6.0","release/1.7.0","release/1.7.1","release/1.7.10","release/1.7.11","release/1.7.12","release/1.7.13","release/1.7.14","release/1.7.15","release/1.7.16","release/1.7.17","release/1.7.18","release/1.7.2","release/1.7.20","release/1.7.21","release/1.7.22","release/1.7.23","release/1.7.24","release/1.7.26","release/1.7.27","release/1.7.3","release/1.7.30","release/1.7.4","release/1.7.5","release/1.7.6","release/1.7.7","release/1.7.8","release/1.7.9","release/1.8.0","release/1.9.0","release/1.9.1","release/1.9.10","release/1.9.2","release/1.9.6","release/1.9.7","release/1.9.8","release/1.9.9","release/2.0.0","release/2.0.1","release/2.1.0","release/2.1.23","release/2.1.24","release/2.1.25","release/2.1.26","release/2.1.28","release/2.1.29","release/2.1.30","release/2.1.31","release/2.1.32","release/2.1.33","release/2.1.34","release/2.1.35","release/2.1.37","release/2.11.0-1","release/2.11.1-1","release/2.11.10-1","release/2.11.11-1","release/2.11.12-1","release/2.11.13-1","release/2.11.14-1","release/2.11.14-2","release/2.11.15-1","release/2.11.15-2","release/2.11.16-1","release/2.11.17-1","release/2.11.18-1","release/2.11.19-1","release/2.11.2-1","release/2.11.20-1","release/2.11.21-1","release/2.11.22-1","release/2.11.23-1","release/2.11.24-1","release/2.11.24-2","release/2.11.25-1","release/2.11.26-1","release/2.11.27-1","release/2.11.28-1","release/2.11.29-1","release/2.11.29-2","release/2.11.3-1","release/2.11.30-1","release/2.11.31-1","release/2.11.32-1","release/2.11.33-1","release/2.11.34-1","release/2.11.35-1","release/2.11.36-1","release/2.11.37-1","release/2.11.38-1","release/2.11.39-1","release/2.11.4-1","release/2.11.40-1","release/2.11.41-1","release/2.11.42-1","release/2.11.43-1","release/2.11.43-2","release/2.11.44-1","release/2.11.45-1","release/2.11.46-1","release/2.11.47-1","release/2.11.47-2","release/2.11.48-1","release/2.11.49-1","release/2.11.5-1","release/2.11.50-1","release/2.11.51-1","release/2.11.52-1","release/2.11.53-1","release/2.11.53-2","release/2.11.54-1","release/2.11.55-1","release/2.11.55-2","release/2.11.56-1","release/2.11.57-1","release/2.11.58-1","release/2.11.58-2","release/2.11.58-3","release/2.11.59-1","release/2.11.6-1","release/2.11.60-1","release/2.11.61-1","release/2.11.62-1","release/2.11.63-1","release/2.11.64-1","release/2.11.65-1","release/2.11.7-1","release/2.11.8-1","release/2.11.9-1","release/2.12.0-1","release/2.12.1-1","release/2.12.2-1","release/2.13.0-0","release/2.13.1-0","release/2.13.1-1","release/2.13.10-1","release/2.13.11-1","release/2.13.12-1","release/2.13.13-1","release/2.13.14-1","release/2.13.15-1","release/2.13.16-1","release/2.13.17-1","release/2.13.18-1","release/2.13.19-1","release/2.13.2-0","release/2.13.20-1","release/2.13.21-1","release/2.13.22-1","release/2.13.23-1","release/2.13.24-1","release/2.13.25-1","release/2.13.26-1","release/2.13.27-1","release/2.13.27-2","release/2.13.28-1","release/2.13.29-1","release/2.13.3-0","release/2.13.30-1","release/2.13.31-1","release/2.13.32-1","release/2.13.33-1","release/2.13.34-1","release/2.13.35-1","release/2.13.36-1","release/2.13.37-1","release/2.13.38-1","release/2.13.39-1","release/2.13.4-1","release/2.13.40-1","release/2.13.41-1","release/2.13.42-1","release/2.13.43-1","release/2.13.44-1","release/2.13.45-1","release/2.13.46-1","release/2.13.47-1","release/2.13.48-1","release/2.13.49-1","release/2.13.5-0","release/2.13.50-1","release/2.13.51-1","release/2.13.52-1","release/2.13.53-1","release/2.13.54-1","release/2.13.55-1","release/2.13.56-1","release/2.13.57-1","release/2.13.58-1","release/2.13.59-1","release/2.13.6-1","release/2.13.60-1","release/2.13.61-1","release/2.13.62-1","release/2.13.7-0","release/2.13.7-1","release/2.13.8-1","release/2.13.9-1","release/2.15.0-1","release/2.15.1-1","release/2.15.10-1","release/2.15.11-1","release/2.15.12-1","release/2.15.13-1","release/2.15.14-1","release/2.15.15-1","release/2.15.16-1","release/2.15.17-1","release/2.15.18-1","release/2.15.19-1","release/2.15.2-1","release/2.15.20-1","release/2.15.21-1","release/2.15.22-1","release/2.15.23-1","release/2.15.24-1","release/2.15.25-1","release/2.15.26-1","release/2.15.27-1","release/2.15.28-1","release/2.15.29-1","release/2.15.3-1","release/2.15.30-1","release/2.15.31-1","release/2.15.32-1","release/2.15.33-1","release/2.15.34-1","release/2.15.35-1","release/2.15.36-1","release/2.15.37-1","release/2.15.38-1","release/2.15.39-1","release/2.15.4-1","release/2.15.40-1","release/2.15.41-1","release/2.15.42-1","release/2.15.5-1","release/2.15.6-1","release/2.15.7-1","release/2.15.8-1","release/2.15.9-1","release/2.15.95-1","release/2.16.0-1","release/2.17.0-1","release/2.17.1-1","release/2.17.10-1","release/2.17.11-1","release/2.17.12-1","release/2.17.13-1","release/2.17.14-1","release/2.17.15-1","release/2.17.16-1","release/2.17.17-1","release/2.17.18-1","release/2.17.19-1","release/2.17.2-1","release/2.17.20-1","release/2.17.21-1","release/2.17.22-1","release/2.17.23-1","release/2.17.24-1","release/2.17.25-1","release/2.17.26-1","release/2.17.27-1","release/2.17.28-1","release/2.17.29-1","release/2.17.3-1","release/2.17.4-1","release/2.17.5-1","release/2.17.5-2","release/2.17.6-1","release/2.17.7-1","release/2.17.8-1","release/2.17.9-1","release/2.17.95-1","release/2.19.0-1","release/2.19.1-1","release/2.19.10-1","release/2.19.11-1","release/2.19.12-1","release/2.19.13-1","release/2.19.14-1","release/2.19.15-1","release/2.19.16-1","release/2.19.17-1","release/2.19.18-1","release/2.19.19-1","release/2.19.2-1","release/2.19.20-1","release/2.19.21-1","release/2.19.22-1","release/2.19.23-1","release/2.19.24-1","release/2.19.25-1","release/2.19.26-1","release/2.19.27-1","release/2.19.28-1","release/2.19.29-1","release/2.19.3-1","release/2.19.30-1","release/2.19.31-1","release/2.19.32-1","release/2.19.33-1","release/2.19.34-1","release/2.19.35-1","release/2.19.36-1","release/2.19.37-1","release/2.19.37-2","release/2.19.38-1","release/2.19.39-1","release/2.19.4-1","release/2.19.40-1","release/2.19.41-1","release/2.19.42-1","release/2.19.43-1","release/2.19.44-1","release/2.19.45-1","release/2.19.46-1","release/2.19.47-1","release/2.19.48-1","release/2.19.49-1","release/2.19.5-1","release/2.19.50-1","release/2.19.51-1","release/2.19.52-1","release/2.19.53-1","release/2.19.54-1","release/2.19.55-1","release/2.19.56-1","release/2.19.57-1","release/2.19.58-1","release/2.19.59-1","release/2.19.6-1","release/2.19.60-1","release/2.19.61-1","release/2.19.62-1","release/2.19.63-1","release/2.19.64-1","release/2.19.65-1","release/2.19.7-1","release/2.19.8-1","release/2.19.9-1","release/2.2.0","release/2.21.0-1","release/2.21.1-1","release/2.21.2-1","release/2.21.3-1","release/2.21.4-1","release/2.21.5-1","release/2.21.6-1","release/2.21.7-1","release/2.23.0-1","release/2.23.1-1","release/2.23.2-1","release/2.23.3-1","release/2.23.4-1","release/2.23.5-1","release/2.23.6-1","release/2.3.0","release/2.3.1","release/2.3.10","release/2.3.11","release/2.3.13","release/2.3.14","release/2.3.15","release/2.3.16","release/2.3.17","release/2.3.18","release/2.3.19","release/2.3.2","release/2.3.20","release/2.3.21","release/2.3.22","release/2.3.23","release/2.3.25","release/2.3.3","release/2.3.4","release/2.3.5","release/2.3.6","release/2.3.7","release/2.3.8","release/2.5.14","release/2.5.15","release/2.5.16","release/2.5.17","release/2.5.18","release/2.5.19","release/2.5.20","release/2.5.21","release/2.5.22","release/2.5.24","release/2.5.25","release/2.5.26","release/2.5.27","release/2.5.28","release/2.5.29","release/2.5.30","release/2.5.31","release/2.6.0","release/2.7.0","release/2.7.1","release/2.7.10","release/2.7.11","release/2.7.12","release/2.7.13","release/2.7.14","release/2.7.15","release/2.7.17","release/2.7.18","release/2.7.19","release/2.7.21","release/2.7.22","release/2.7.23","release/2.7.24","release/2.7.25","release/2.7.26","release/2.7.27","release/2.7.28","release/2.7.29","release/2.7.3","release/2.7.30","release/2.7.31","release/2.7.32","release/2.7.34","release/2.7.35","release/2.7.36","release/2.7.37","release/2.7.39","release/2.7.4","release/2.7.40","release/2.7.5","release/2.7.6","release/2.7.7","release/2.7.8","release/2.7.9","release/2.9.0","release/2.9.1","release/2.9.2","release/2.9.3","release/2.9.4","release/2.9.5","release/2.9.6","release/2.9.7","tarball/HEAD","tarball/start","v2.23.10","v2.23.11","v2.23.12","v2.23.13","v2.23.14","v2.23.7","v2.23.8","v2.23.80","v2.23.81","v2.23.82","v2.23.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-17354.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}