CVE-2021-45444

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions zsh versions prior to 5.8.1

Description The issue is related to the recursive PROMPT SUBST expansion in zsh, allowing an attacker to achieve code execution if they control a command output inside the prompt. This can be demonstrated by a %F argument.

Recommendations For versions prior to 5.8.1, update to zsh version 5.8.1 to resolve the issue. As a temporary workaround, consider restricting the use of the %F argument in the prompt to minimize the risk of exploitation.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALSA-2022:2120

ALT-PU-2022-1278

ALT-PU-2022-2433

ALT-PU-2024-14485

AZL-8586

BDU:2022-01068

CESA-2022_2120

CVE-2021-45444

DLA-2926-1

DSA-5078-1

MGASA-2022-0073

OESA-2022-1567

OESA-2022-2094

OPENSUSE-SU-2022:0735-1

OPENSUSE-SU-2022_0735-1

OPENSUSE-SU-2024:11959-1

RHSA-2022:2120

RHSA-2022_2120

RLSA-2022:2120

SUSE-SU-2022:0732-1

SUSE-SU-2022:0733-1

SUSE-SU-2022:0735-1

USN-5325-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Apple Macos

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Zsh

CVE-2021-45444

Weakness Enumeration

Related Identifiers

Affected Products

References · 79