CVE-2014-10070

Sažetak

zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled.

Reference

http://zsh.sourceforge.net/releases.html
https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72
https://usn.ubuntu.com/3593-1/

CVSS

Base:	4.6
Impact:	6.4
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:L/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

21-03-2018 - 01:29

Objavljeno

27-02-2018 - 22:29