CVE-2021-45444

In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
zshzsh
𝑥
< 5.8.1
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
applemac_os_x
10.15 ≤
𝑥
< 10.15.7
applemac_os_x
10.15.7:security_update_2020
applemac_os_x
10.15.7:security_update_2020-001
applemac_os_x
10.15.7:security_update_2020-005
applemac_os_x
10.15.7:security_update_2020-007
applemac_os_x
10.15.7:security_update_2021-001
applemac_os_x
10.15.7:security_update_2021-002
applemac_os_x
10.15.7:security_update_2021-003
applemac_os_x
10.15.7:security_update_2021-006
applemac_os_x
10.15.7:security_update_2021-007
applemac_os_x
10.15.7:security_update_2021-008
applemac_os_x
10.15.7:security_update_2022-001
applemac_os_x
10.15.7:security_update_2022-002
applemac_os_x
10.15.7:security_update_2022-003
applemacos
11.0 ≤
𝑥
< 11.6.6
applemacos
12.0.0 ≤
𝑥
< 12.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
zsh
bullseye (security)
5.8-6+deb11u1
fixed
bullseye
5.8-6+deb11u1
fixed
bookworm
5.9-4
fixed
sid
5.9-8
fixed
trixie
5.9-8
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
zsh
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
needs-triage
impish
Fixed 5.8-6ubuntu0.1
released
focal
Fixed 5.8-3ubuntu1.1
released
bionic
Fixed 5.4.2-3ubuntu3.2
released
xenial
Fixed 5.1.1-1ubuntu2.3+esm1
released
trusty
ignored
References
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/38
https://lists.debian.org/debian-lts-announce/2022/02/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P3LPMGENEHKDWFO4MWMZSZL6G7Y4CV7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWF3EXNBX5SVFDBL4ZFOD4GJBWFUKWN4/
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://vuln.ryotak.me/advisories/63
https://www.debian.org/security/2022/dsa-5078
https://zsh.sourceforge.io/releases.html
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/38
https://lists.debian.org/debian-lts-announce/2022/02/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P3LPMGENEHKDWFO4MWMZSZL6G7Y4CV7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWF3EXNBX5SVFDBL4ZFOD4GJBWFUKWN4/
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://vuln.ryotak.me/advisories/63
https://www.debian.org/security/2022/dsa-5078
https://zsh.sourceforge.io/releases.html