CVE-2017-18205

zsh: NULL dereference in cd in sh compatibility mode under given circumstances

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set.

En builtin.c en zsh, en versiones anteriores a la 5.4, cuando se emplea el modo de compatibilidad sh, hay una desreferencia de puntero NULL durante el procesamiento del comando cd sin argumento si no está establecido HOME.

A NULL pointer dereference flaw was found in the code responsible for the cd builtin command of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.

It was discovered that Zsh incorrectly handled certain environment variables. An attacker could possibly use this issue to gain privileged access to the system. This issue only affected Ubuntu 14.04 LTS. It was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-02-27 CVE Reserved
2018-02-27 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference
CWE-665: Improper Initialization

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://sourceforge.net/p/zsh/code/ci/eb783754bdb74377f3cea4ceca9c23a02ea1bf58	2018-10-31

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:3073	2018-10-31
https://security.gentoo.org/glsa/201805-10	2018-10-31
https://usn.ubuntu.com/3593-1	2018-10-31
https://access.redhat.com/security/cve/CVE-2017-18205	2018-10-30
https://bugzilla.redhat.com/show_bug.cgi?id=1549862	2018-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zsh Project Search vendor "Zsh Project"		Zsh Search vendor "Zsh Project" for product "Zsh"				< 5.4 Search vendor "Zsh Project" for product "Zsh" and version " < 5.4"		-		Affected