Published: 02/04/2020 Updated: 12/02/2023

CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 641

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated malicious users to provide one of those environment variables could allow them to exploit this issue remotely.

Vulnerable Product	Search on Vulmon	Subscribe to Product
ksh project ksh 20120801
debian debian linux 9.0
apple mac os x

Debian Bug report logs - #948989 ksh: CVE-2019-14868 Package: src:ksh; Maintainer for src:ksh is Anuradha Weeraman <aweeraman@gmailcom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 15 Jan 2020 16:57:01 UTC Severity: grave Tags: security, upstream Found in versions ksh/202000-2, ksh/93u+201208 ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 75 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 72 Advanced Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which g ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scori ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which g ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 74 Advanced Update Support, Red Hat Enterprise Linux 74 Telco Extended Update Support, and Red Hat Enterprise Linux 74 Update Services for SAP Solutions ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 76 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which g ...

Synopsis Important: ksh security update Type/Severity Security Advisory: Important Topic An update for ksh is now available for Red Hat Enterprise Linux 73 Advanced Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...

A flaw was found in ksh version 202000 in the evaluation of certain environment variables An attacker could use this flaw to override or bypass environment restrictions to execute shell commands Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this is ...

Full Disclosure mailing list archives   By Date By Thread </form>    APPLE-SA-2020-05-26-3 macOS Catalina 10155, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra <! ...

Mahdi's build of mksh

mksh(1) R59c This is the website of the MirBSD™ Korn Shell, an actively developed free implementation of the Korn Shell programming language and a successor to the Public Domain Korn Shell (pdksh) This page is always accessible via a redirection at mirbsdde/mksh, which is the canonical homepage URI There also is (most of the time) mksh on Freshmeat and an mksh p

CWE-77 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868 https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2 https://support.apple.com/kb/HT211170 http://seclists.org/fulldisclosure/2020/May/53 https://lists.debian.org/debian-lts-announce/2020/07/msg00015.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948989 https://nvd.nist.gov https://github.com/MahdiMirzade/mksh https://security.archlinux.org/CVE-2019-14868

CVE-2019-14868

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect