CVE-2019-9146

HIGH

Jamf Self Service 10.9.0 - Unauthenticated Remote Code Execution via Bash Script Injection

Title source: llm
STIX 2.1

Description

Jamf Self Service 10.9.0 allows man-in-the-middle attackers to obtain a root shell by leveraging the "publish Bash shell scripts" feature to insert "/Applications/Utilities/Terminal app/Contents/MacOS/Terminal" into the TCP data stream.

Scores

CVSS v3 7.5
EPSS 0.0078
EPSS Percentile 51.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
jamf/self_service 10.9.0
Published Feb 25, 2019
Tracked Since Feb 18, 2026