CVE-2019-14868

NameCVE-2019-14868
DescriptionIn ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs948989, 964034

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ksh (PTS)stretch93u+20120801-3.1vulnerable
buster93u+20120801-3.4vulnerable
bullseye2020.0.0+really93u+20120801-6fixed
sid2020.0.0+really93u+20120801-7fixed
ksh93 (PTS)sid93u+20120801-7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kshsource(unstable)2020.0.0-2.1948989
ksh93source(unstable)(unfixed)964034

Notes

[jessie] - ksh <ignored> (Minor issue)
https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2

Search for package or bug name: Reporting problems