QwikSec

Security Database

CVE

CWE

Training

CVE-2019-14868

Published: Apr 2, 2020

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.1

7.4

HIGH

Description

In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

Vendor	Product	Versions
KornShell	ksh	affected `20120801`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868

x_refsource_CONFIRM

https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2

x_refsource_MISC

https://support.apple.com/kb/HT211170

x_refsource_CONFIRM

20200529 APPLE-SA-2020-05-26-3 macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

mailing-list

x_refsource_FULLDISC

[debian-lts-announce] 20200720 [SECURITY] [DLA 2284-1] ksh security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.