CVE-2014-10070
Summary
| CVE | CVE-2014-10070 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2018-02-27 22:29:00 UTC |
|---|
| Updated | 2018-03-21 01:29:00 UTC |
|---|
| Description | zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Application |
Zsh Project |
Zsh |
All |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| ZSH - Release Notes |
MISC |
zsh.sourceforge.net |
Release Notes, Third Party Advisory |
| zsh / Code / Commit [546203] |
MISC |
sourceforge.net |
Patch, Third Party Advisory |
| USN-3593-1: Zsh vulnerabilities | Ubuntu security notices |
UBUNTU |
usn.ubuntu.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 296073 Oracle Solaris 11.4 Support Repository Update (SRU) 24.75.2 Missing (CPUJUL2020)
- 753235 SUSE Enterprise Linux Security Update for zsh (SUSE-SU-2022:14910-1)
