PT-2018-3619 · Zsh+5 · Zsh+5

Daniel Shahaf

Published

2018-07-05

Updated

2024-06-15

CVE-2018-13259

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions zsh versions prior to 5.6

Description An issue was discovered in zsh where shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For versions prior to 5.6, update to version 5.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of shebang lines exceeding 64 characters until a patch is available. Restrict access to sensitive data and systems to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2018-2654

BDU:2021-01388

CESA-2019_2017

CVE-2018-13259

DLA-2470-1

OPENSUSE-SU-2018_2741-1

OPENSUSE-SU-2018_2966-1

OPENSUSE-SU-2024:11543-1

RHSA-2019:2017

RHSA-2019_2017

SUSE-SU-2018:2686-1

SUSE-SU-2022:0161-1

SUSE-SU-2022:14910-1

SUSE-SU-2022_14910-1

USN-3764-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Ubuntu

Zsh

PT-2018-3619 · Zsh+5 · Zsh+5

CVE-2018-13259

Weakness Enumeration

Related Identifiers

Affected Products

References · 99