CVE-2019-14868

HIGH

ksh 20120801 - Command Injection via Environment Variable Handling

Title source: llm

Description

In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

References (5)

Core 5

Core References

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868

Patch, Third Party Advisory x_refsource_misc

https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2

View Patch ZIP pw:eip

Third Party Advisory x_refsource_confirm

https://support.apple.com/kb/HT211170

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2020/May/53

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/07/msg00015.html

Scores

CVSS v3 7.4

EPSS 0.0138

EPSS Percentile 68.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (3)

apple/mac_os_x < 10.15.5

debian/debian_linux 9.0

ksh_project/ksh 20120801

Published Apr 02, 2020

Tracked Since Feb 18, 2026