Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-45444

Published: Feb 14, 2022 | Modified: Nov 07, 2023
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
5.1 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7.8 MODERATE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ubuntu
LOW
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-45444
CWEhttps://cwe.mitre.org/data/definitions/.html

In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.

Affected Software

Name Vendor Start Version End Version
Zsh Zsh * 5.8.1 (excluding)
Red Hat Enterprise Linux 8 RedHat zsh-0:5.5.1-9.el8 *
Red Hat Enterprise Linux 8 RedHat zsh-0:5.5.1-9.el8 *
Zsh Ubuntu bionic *
Zsh Ubuntu esm-infra/xenial *
Zsh Ubuntu focal *
Zsh Ubuntu impish *
Zsh Ubuntu trusty *
Zsh Ubuntu upstream *
Zsh Ubuntu xenial *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use