CVE-2019-14868: Command Injection

Q: What is CVE-2019-14868?

CVE-2019-14868 is an issue in the handling of environment variables in ksh (Korn Shell).

Q: What software versions are affected by CVE-2019-14868?

CVE-2019-14868 affects macOS Catalina version 10.15.5 exclusively.

Q: How was CVE-2019-14868 addressed?

CVE-2019-14868 was addressed with improved validation.

Q: Is Apple Mojave affected by CVE-2019-14868?

Yes, Apple Mojave is affected by CVE-2019-14868.

Q: Where can I find more information about CVE-2019-14868?

You can find more information about CVE-2019-14868 at the following reference: [Apple Support](https://support.apple.com/en-us/HT211170)

Published Apr 2, 2020

Updated

ksh. An issue existed in the handling of environment variables. This issue was addressed with improved validation.

Other sources

In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

Credit

CVE-2019-14868

Affected Software

6 affected componentsFixes available

Apple macOS Catalina<10.15.5

10.15.5

Apple Mojave

Apple High Sierra

Ksh Project Ksh=20120801

Debian Debian Linux=9.0

Apple iOS and macOS<10.15.5

Remediation

Patch Available

https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2

Event History

Apr 2, 2020

CVE Published

via MITRE·04:48 PM

Data Sourced

via MITRE·04:48 PM

DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

HT211170

Frequently Asked Questions

What is CVE-2019-14868?

CVE-2019-14868 is an issue in the handling of environment variables in ksh (Korn Shell).

What software versions are affected by CVE-2019-14868?

CVE-2019-14868 affects macOS Catalina version 10.15.5 exclusively.

How was CVE-2019-14868 addressed?