CVE-2019-14868

NameCVE-2019-14868
DescriptionIn ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs948989

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ksh (PTS)jessie93u+20120801-1vulnerable
stretch93u+20120801-3.1vulnerable
buster93u+20120801-3.4vulnerable
bullseye, sid2020.0.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kshsource(unstable)2020.0.0-2.1948989

Notes

[jessie] - ksh <ignored> (Minor issue)
https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2

Search for package or bug name: Reporting problems