CVE-2019-14868

NameCVE-2019-14868
DescriptionIn ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2284-1
Debian Bugs948989, 964034

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ksh (PTS)buster93u+20120801-3.4+deb10u1fixed
bullseye2020.0.0+really93u+20120801-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kshsourcestretch93u+20120801-3.1+deb9u1DLA-2284-1
kshsourcebuster93u+20120801-3.4+deb10u1
kshsource(unstable)2020.0.0-2.1948989
ksh93source(unstable)(unfixed)964034

Notes

[jessie] - ksh <ignored> (Minor issue)
https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
Search for package or bug name: Reporting problems