CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-10070
https://notcve.org/view.php?id=CVE-2014-10070
zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled. zsh, en versiones anteriores a la 5.0.7, permite la evaluación de los valores- iniciales de las variables de enteros importadas del entorno (en lugar de tratarlas como números literales). Esto podría permitir el escalado de privilegios local, bajo ciertas condiciones específicas y atípicas, cuando zsh se está invocando en contextos de elevación de privilegios en los que el entorno no se ha saneado correctamente, como cuando zsh se invoca en sistemas en los que se ha deshabilitado "env_reset". • http://zsh.sourceforge.net/releases.html https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72 https://usn.ubuntu.com/3593-1 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18205 – zsh: NULL dereference in cd in sh compatibility mode under given circumstances
https://notcve.org/view.php?id=CVE-2017-18205
In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. En builtin.c en zsh, en versiones anteriores a la 5.4, cuando se emplea el modo de compatibilidad sh, hay una desreferencia de puntero NULL durante el procesamiento del comando cd sin argumento si no está establecido HOME. A NULL pointer dereference flaw was found in the code responsible for the cd builtin command of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell. • https://access.redhat.com/errata/RHSA-2018:3073 https://security.gentoo.org/glsa/201805-10 https://sourceforge.net/p/zsh/code/ci/eb783754bdb74377f3cea4ceca9c23a02ea1bf58 https://usn.ubuntu.com/3593-1 https://access.redhat.com/security/cve/CVE-2017-18205 https://bugzilla.redhat.com/show_bug.cgi?id=1549862 • CWE-476: NULL Pointer Dereference CWE-665: Improper Initialization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-10072 – zsh: buffer overflow when scanning very long directory paths for symbolic links
https://notcve.org/view.php?id=CVE-2014-10072
In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very long directory paths for symbolic links. En utils.c en zsh, en versiones anteriores a la 5.0.6, hay un desbordamiento de búfer al escanear rutas de directorio muy largas para detectar enlaces simbólicos. A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do symbolic link resolution in the aforementioned path. An attacker could exploit this vulnerability to cause a denial of service condition on the target. • https://access.redhat.com/errata/RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:3073 https://sourceforge.net/p/zsh/code/ci/3e06aeabd8a9e8384ebaa8b08996cd1f64737210 https://usn.ubuntu.com/3593-1 https://access.redhat.com/security/cve/CVE-2014-10072 https://bugzilla.redhat.com/show_bug.cgi?id=1549836 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •