Improper Input Validation

Affecting zsh package, versions debian:10: <5.6-1 || debian:8: * || debian:9: * || debian:unstable: <5.6-1 || ubuntu:14.04: <5.0.2-3ubuntu6.3 || ubuntu:16.04: <5.1.1-1ubuntu2.3 || ubuntu:18.04: <5.4.2-3ubuntu3.1

Do your applications use this vulnerable package? Test your applications

Overview

An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE
CVE-2018-13259
CWE
CWE-20
Snyk ID
SNYK-LINUX-ZSH-172775
Disclosed
05 Sep, 2018
Published
25 Sep, 2018