CVE-2018-13259

moderate-risk

Published 2018-09-05

An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.

Do I need to act?

0.65% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: b30b89418af2495c0d48a72573f908c4ecf05efd

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Ubuntu Linux

Zsh

Affected Vendors

Canonical Zsh

References (14)

https://access.redhat.com/errata/RHSA-2019:2017

Mailing List https://bugs.debian.org/908000

https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html

Third Party Advisory https://security.gentoo.org/glsa/201903-02

Patch https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d

Third Party Advisory https://usn.ubuntu.com/3764-1/

Mailing List https://www.zsh.org/mla/zsh-announce/136

https://access.redhat.com/errata/RHSA-2019:2017

Mailing List https://bugs.debian.org/908000

https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html

Third Party Advisory https://security.gentoo.org/glsa/201903-02

Patch https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d

Third Party Advisory https://usn.ubuntu.com/3764-1/

Mailing List https://www.zsh.org/mla/zsh-announce/136

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 10/34 · Low