CVE-2019-14868Command Injection in Apple MAC OS X

CWE-77Command Injection7 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 57.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
KSH Project KSHApple MAC OS XDebian KSH+2 more
Timeline
PublishedApr 2
Latest updateMay 24

Description

In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

CVEListV5kornshell/ksh20120801
debiandebian/ksh< ksh 2020.0.0-2.1 (bullseye)
NVDapple/mac_os_x< 10.15.5
Debianksh_project/ksh< 2020.0.0-2.1
NVDksh_project/ksh20120801

Also affects: Debian Linux 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-2x84-7422-962r: In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables2022-05-24
OSV
CVE-2019-14868: In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables2020-04-02

📋Vendor Advisories

2
Red Hat
ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injection2019-12-13
Debian
CVE-2019-14868: ksh - In ksh version 20120801, a flaw was found in the way it evaluates certain enviro...2019

💬Community

2
Bugzilla
CVE-2019-14868 ksh: environment variables on startup are interpreted as arithmetic expression leading to code injection [fedora-all]2020-01-13
Bugzilla
CVE-2019-14868 ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injection2019-10-01
CVE-2019-14868 — Command Injection in Apple MAC OS X | cvebase