CVE-2018-13259 — Improper Input Validation in ZSH

CWE-20 — Improper Input Validation9 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 29.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

ZSH Debian ZSH Canonical Ubuntu Linux

Timeline

PublishedSep 5

Latest updateMay 13

Description

An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDzsh/zsh< 5.6

▶debiandebian/zsh< zsh 5.6-1 (bookworm)

▶Debianzsh/zsh< 5.6-1+3

▶Ubuntuzsh/zsh< 5.0.2-3ubuntu6.3+2

Also affects: Ubuntu Linux 14.04, 16.04, 18.04

Patches

Patch: bugs.debian.org ↗Patch: sourceforge.net ↗Patch: bugs.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-8vj4-q4ww-8jf3: An issue was discovered in zsh before 5↗2022-05-13

▶

OSV

zsh vulnerabilities↗2018-09-11

▶

OSV

CVE-2018-13259: An issue was discovered in zsh before 5↗2018-09-05

▶

📋Vendor Advisories

Ubuntu

Zsh vulnerabilities↗2018-09-11

▶

Red Hat

zsh: Improper handling of shebang line longer than 64↗2018-09-04

▶

Debian

CVE-2018-13259: zsh - An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters...↗2018

▶

💬Community

Bugzilla

CVE-2018-13259 zsh: Improper handling of shebang line longer than 64 [fedora-all]↗2018-09-06

▶

Bugzilla

CVE-2018-13259 zsh: Improper handling of shebang line longer than 64↗2018-09-06

▶