CVE Vulnerabilities

CVE-2014-10070

Published: Feb 27, 2018 | Modified: Mar 21, 2018
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
4.6 MEDIUM
AV:L/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:N
Ubuntu
MEDIUM

zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where env_reset has been disabled.

Affected Software

Name Vendor Start Version End Version
Zsh Zsh_project * 5.0.6 (including)
Zsh Ubuntu artful *
Zsh Ubuntu trusty *

References