Vulnerability Details : CVE-2019-14868
In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
Products affected by CVE-2019-14868
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:ksh_project:ksh:20120801:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14868
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14868
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
1.4
|
5.9
|
Red Hat, Inc. |
CWE ids for CVE-2019-14868
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2019-14868
-
https://support.apple.com/kb/HT211170
About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra - Apple SupportThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/07/msg00015.html
[SECURITY] [DLA 2284-1] ksh security updateMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868
1757324 – (CVE-2019-14868) CVE-2019-14868 ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injectionIssue Tracking;Third Party Advisory
-
https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
Harden env var imports · att/ast@c7de8b6 · GitHubPatch;Third Party Advisory
-
http://seclists.org/fulldisclosure/2020/May/53
Full Disclosure: APPLE-SA-2020-05-26-3 macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High SierraMailing List;Third Party Advisory
Jump to