CVE-2019-14868

EPSS 0.21%
Published 02.04.2020 17:15:13
Last modified 21.11.2024 04:27:32
Source secalert@redhat.com
Teams watchlist Login
Open Login

In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

Affected products Warnungen 0 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Ksh Project ≫ Ksh Version20120801

Debian ≫ Debian Linux Version9.0

Apple ≫ macOS X Version < 10.15.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.435

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
secalert@redhat.com	7.4	1.4	5.9	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://support.apple.com/kb/HT211170

Third Party Advisory

http://seclists.org/fulldisclosure/2020/May/53

Third Party Advisory

Mailing List

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868

Third Party Advisory

Issue Tracking

https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00015.html