CVE-2020-17354

Name: CVE-2020-17354
Creator: NVD / NIST
Published: 2023-04-15T22:15:06.913+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.6/10EPSS 0.41%

Last modified Jun 17, 2026

CVE-2020-17354 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.. EPSS estimates a 0.41% chance of exploitation in the next 30 days.

Description

LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.

Metrics

CVSS 3.1

8.6/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Probability

0.41%

33.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Lilypond	Lilypond	< 2.24.0

References

http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usageRelease Notes
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522Patch, Vendor Advisory
https://lilypond.org/download.htmlProduct
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/
https://phabricator.wikimedia.org/T259210Exploit, Third Party Advisory
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/Mailing List, Release Notes, Third Party Advisory
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisoryThird Party Advisory
http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usageRelease Notes
https://gitlab.com/lilypond/lilypond/-/merge_requests/1522Patch, Vendor Advisory
https://lilypond.org/download.htmlProduct
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K43PF6VGFJNNGAPY57BW3VMEFFOSMRLF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ST5BLLQ4GDME3SN7UE5OMNE5GZE66X4Y/
https://phabricator.wikimedia.org/T259210Exploit, Third Party Advisory
https://tracker.debian.org/news/1249694/accepted-lilypond-2221-1-source-into-unstable/Mailing List, Release Notes, Third Party Advisory
https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisoryThird Party Advisory

Timeline

Published: Apr 15, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-17354?

How severe is CVE-2020-17354?

CVE-2020-17354 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 0.41% probability of exploitation in the next 30 days.

How do I fix CVE-2020-17354?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-17354?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST