Your submission was sent successfully! Close

CVE-2021-45444

Published: 14 February 2022

In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
zsh
Launchpad, Ubuntu, Debian
bionic
Released (5.4.2-3ubuntu3.2)
focal
Released (5.8-3ubuntu1.1)
impish
Released (5.8-6ubuntu0.1)
trusty Ignored
(out of standard support)
upstream
Released (5.8.1-1)
xenial
Released (5.1.1-1ubuntu2.3+esm1)