Command-Line Shell Vulnerability in Zsh by the Zsh Team
CVE-2018-13259

9.8CRITICAL

Key Information:

Vendor
Canonical
Status
Zsh Before 5.6
Vendor
CVE Published:
5 September 2018

Summary

Prior to version 5.6, the Zsh shell suffered from a vulnerability where shebang lines exceeding 64 characters were truncated. This limitation could allow an attacker to create an execve call to an unintended program, which could lead to arbitrary code execution. This could potentially compromise system integrity and expose sensitive data. Users of vulnerable versions are urged to update to the latest release promptly to mitigate risks associated with this vulnerability.

Affected Version(s)

zsh before 5.6 zsh before 5.6

References

https://bugs.debian.org/908000
x_refsource_MISC
https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df02...
x_refsource_MISC
https://www.zsh.org/mla/zsh-announce/136
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.