{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"zsh security update", "category":"general", "title":"Synopsis" }, { "text":"An update for zsh is now available for openEuler-22.03-LTS.", "category":"general", "title":"Summary" }, { "text":"The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of the useful features of bash, ksh, and tcsh were incorporated into zsh. It can match files by file extension without running an external program, share command history with any shell, and more.\n\nSecurity Fix(es):\n\nIn zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.(CVE-2021-45444)", "category":"general", "title":"Description" }, { "text":"An update for zsh is now available for openEuler-22.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"zsh", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2022-2094", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2094" }, { "summary":"CVE-2021-45444", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2021-45444&packageName=zsh" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45444" }, { "summary":"openEuler-SA-2022-2094 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2022/csaf-openeuler-sa-2022-2094.json" } ], "title":"An update for zsh is now available for openEuler-22.03-LTS", "tracking":{ "initial_release_date":"2022-11-11T09:49:38+08:00", "revision_history":[ { "date":"2022-11-11T09:49:38+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:49:38+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:49:38+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:49:38+08:00", "id":"openEuler-SA-2022-2094", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"openEuler-22.03-LTS", "name":"openEuler-22.03-LTS" }, "name":"openEuler-22.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-5.8-3.oe2203.aarch64.rpm", "name":"zsh-5.8-3.oe2203.aarch64.rpm" }, "name":"zsh-5.8-3.oe2203.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-debugsource-5.8-3.oe2203.aarch64.rpm", "name":"zsh-debugsource-5.8-3.oe2203.aarch64.rpm" }, "name":"zsh-debugsource-5.8-3.oe2203.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-debuginfo-5.8-3.oe2203.aarch64.rpm", "name":"zsh-debuginfo-5.8-3.oe2203.aarch64.rpm" }, "name":"zsh-debuginfo-5.8-3.oe2203.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-help-5.8-3.oe2203.noarch.rpm", "name":"zsh-help-5.8-3.oe2203.noarch.rpm" }, "name":"zsh-help-5.8-3.oe2203.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-5.8-3.oe2203.src.rpm", "name":"zsh-5.8-3.oe2203.src.rpm" }, "name":"zsh-5.8-3.oe2203.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-5.8-3.oe2203.x86_64.rpm", "name":"zsh-5.8-3.oe2203.x86_64.rpm" }, "name":"zsh-5.8-3.oe2203.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-debugsource-5.8-3.oe2203.x86_64.rpm", "name":"zsh-debugsource-5.8-3.oe2203.x86_64.rpm" }, "name":"zsh-debugsource-5.8-3.oe2203.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"zsh-debuginfo-5.8-3.oe2203.x86_64.rpm", "name":"zsh-debuginfo-5.8-3.oe2203.x86_64.rpm" }, "name":"zsh-debuginfo-5.8-3.oe2203.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-5.8-3.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-5.8-3.oe2203.aarch64", "name":"zsh-5.8-3.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-debugsource-5.8-3.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.aarch64", "name":"zsh-debugsource-5.8-3.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-debuginfo-5.8-3.oe2203.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.aarch64", "name":"zsh-debuginfo-5.8-3.oe2203.aarch64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-help-5.8-3.oe2203.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-help-5.8-3.oe2203.noarch", "name":"zsh-help-5.8-3.oe2203.noarch as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-5.8-3.oe2203.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-5.8-3.oe2203.src", "name":"zsh-5.8-3.oe2203.src as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-5.8-3.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-5.8-3.oe2203.x86_64", "name":"zsh-5.8-3.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-debugsource-5.8-3.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.x86_64", "name":"zsh-debugsource-5.8-3.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"zsh-debuginfo-5.8-3.oe2203.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.x86_64", "name":"zsh-debuginfo-5.8-3.oe2203.x86_64 as a component of openEuler-22.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-45444", "notes":[ { "text":"In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS:zsh-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-help-5.8-3.oe2203.noarch", "openEuler-22.03-LTS:zsh-5.8-3.oe2203.src", "openEuler-22.03-LTS:zsh-5.8-3.oe2203.x86_64", "openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.x86_64", "openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS:zsh-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-help-5.8-3.oe2203.noarch", "openEuler-22.03-LTS:zsh-5.8-3.oe2203.src", "openEuler-22.03-LTS:zsh-5.8-3.oe2203.x86_64", "openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.x86_64", "openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.x86_64" ], "details":"zsh security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2094" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":8.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS:zsh-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.aarch64", "openEuler-22.03-LTS:zsh-help-5.8-3.oe2203.noarch", "openEuler-22.03-LTS:zsh-5.8-3.oe2203.src", "openEuler-22.03-LTS:zsh-5.8-3.oe2203.x86_64", "openEuler-22.03-LTS:zsh-debugsource-5.8-3.oe2203.x86_64", "openEuler-22.03-LTS:zsh-debuginfo-5.8-3.oe2203.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-45444" } ] }