Vulnerability Details : CVE-2019-9535
A vulnerability exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content.
Products affected by CVE-2019-9535
- cpe:2.3:a:iterm2:iterm2:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9535
0.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9535
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-9535
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.Assigned by: cret@cert.org (Secondary)
References for CVE-2019-9535
-
https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/
Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit | Mozilla Security BlogExploit;Third Party Advisory
-
https://kb.cert.org/vuls/id/763073/
VU#763073 - iTerm2 with tmux integration is vulnerable to remote command executionThird Party Advisory;US Government Resource
-
https://groups.google.com/forum/#!topic/iterm2-discuss/57k_AuLdQa4
Important security update — please upgrade! - Google GroepenPatch;Third Party Advisory
Jump to