CVE-2021-45444

HIGH

zsh < 5.8.1 - Remote Code Execution via PROMPT_SUBST Expansion

Title source: llm
STIX 2.1

Description

In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.

References (12)

Core 12
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://zsh.sourceforge.io/releases.html
Third Party Advisory x_refsource_misc
https://vuln.ryotak.me/advisories/63
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5078
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/02/msg00020.html
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT213257
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT213256
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT213255
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/33
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/35
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/38

Scores

CVSS v3 7.8
EPSS 0.0011
EPSS Percentile 29.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (9)
apple/mac_os_x 10.15.7 security_update_2020 (13 CPE variants)
apple/mac_os_x 10.15 - 10.15.7
apple/macos 11.0 - 11.6.6
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 34
fedoraproject/fedora 35
zsh/zsh < 5.8.1
Published Feb 14, 2022
Tracked Since Feb 18, 2026