{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2023 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2019-14868","title":"Title"},{"category":"description","text":"In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2019-14868","url":"https://www.suse.com/security/cve/CVE-2019-14868"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1160796 for CVE-2019-14868","url":"https://bugzilla.suse.com/1160796"}],"title":"SUSE CVE CVE-2019-14868","tracking":{"current_release_date":"2023-02-15T04:09:21Z","generator":{"date":"2023-02-15T04:09:21Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2019-14868","initial_release_date":"2023-02-15T04:09:21Z","revision_history":[{"date":"2023-02-15T04:09:21Z","number":"2","summary":"Current version"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Software Development Kit 12 SP4","product":{"name":"SUSE Linux Enterprise Software Development Kit 12 SP4","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-sdk:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 11 SP1 for Teradata","product":{"name":"SUSE Linux Enterprise Server 11 SP1 for Teradata","product_id":"SUSE Linux Enterprise Server 11 SP1 for Teradata","product_identification_helper":{"cpe":"cpe:/o:suse:suse_sles_teradata:11:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 11 SP3 for Teradata","product":{"name":"SUSE Linux Enterprise Server 11 SP3 for Teradata","product_id":"SUSE Linux Enterprise Server 11 SP3 for Teradata","product_identification_helper":{"cpe":"cpe:/o:suse:suse_sles_teradata:11:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 11 SP4 LTSS","product":{"name":"SUSE Linux Enterprise Server 11 SP4 LTSS","product_id":"SUSE Linux Enterprise Server 11 SP4 LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:suse_sles_ltss:11:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Software Development Kit 12 SP4","product":{"name":"SUSE Linux Enterprise Software Development Kit 12 SP4","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-sdk:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Software Development Kit 12 SP5","product":{"name":"SUSE Linux Enterprise Software Development Kit 12 SP5","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-sdk:12:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Software Development Kit 12 SP4","product":{"name":"SUSE Linux Enterprise Software Development Kit 12 SP4","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-sdk:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Legacy 12","product":{"name":"SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-legacy:12"}}},{"category":"product_name","name":"SUSE Linux Enterprise Software Development Kit 12 SP5","product":{"name":"SUSE Linux Enterprise Software Development Kit 12 SP5","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-sdk:12:sp5"}}},{"category":"product_version","name":"ksh","product":{"name":"ksh","product_id":"ksh","product_identification_helper":{"cpe":"cpe:2.3:a:ksh_project:ksh:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"ksh-devel","product":{"name":"ksh-devel","product_id":"ksh-devel"}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ksh as component of SUSE Linux Enterprise Module for Legacy 12","product_id":"SUSE Linux Enterprise Module for Legacy 12:ksh"},"product_reference":"ksh","relates_to_product_reference":"SUSE Linux Enterprise Module for Legacy 12"},{"category":"default_component_of","full_product_name":{"name":"ksh as component of SUSE Linux Enterprise Server 11 SP1 for Teradata","product_id":"SUSE Linux Enterprise Server 11 SP1 for Teradata:ksh"},"product_reference":"ksh","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP1 for Teradata"},{"category":"default_component_of","full_product_name":{"name":"ksh as component of SUSE Linux Enterprise Server 11 SP3 for Teradata","product_id":"SUSE Linux Enterprise Server 11 SP3 for Teradata:ksh"},"product_reference":"ksh","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP3 for Teradata"},{"category":"default_component_of","full_product_name":{"name":"ksh as component of SUSE Linux Enterprise Server 11 SP4 LTSS","product_id":"SUSE Linux Enterprise Server 11 SP4 LTSS:ksh"},"product_reference":"ksh","relates_to_product_reference":"SUSE Linux Enterprise Server 11 SP4 LTSS"},{"category":"default_component_of","full_product_name":{"name":"ksh-devel as component of SUSE Linux Enterprise Software Development Kit 12 SP4","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP4:ksh-devel"},"product_reference":"ksh-devel","relates_to_product_reference":"SUSE Linux Enterprise Software Development Kit 12 SP4"},{"category":"default_component_of","full_product_name":{"name":"ksh as component of SUSE Linux Enterprise Software Development Kit 12 SP4","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP4:ksh"},"product_reference":"ksh","relates_to_product_reference":"SUSE Linux Enterprise Software Development Kit 12 SP4"},{"category":"default_component_of","full_product_name":{"name":"ksh-devel as component of SUSE Linux Enterprise Software Development Kit 12 SP5","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP5:ksh-devel"},"product_reference":"ksh-devel","relates_to_product_reference":"SUSE Linux Enterprise Software Development Kit 12 SP5"},{"category":"default_component_of","full_product_name":{"name":"ksh as component of SUSE Linux Enterprise Software Development Kit 12 SP5","product_id":"SUSE Linux Enterprise Software Development Kit 12 SP5:ksh"},"product_reference":"ksh","relates_to_product_reference":"SUSE Linux Enterprise Software Development Kit 12 SP5"}]},"vulnerabilities":[{"cve":"CVE-2019-14868","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2019-14868"}],"notes":[{"category":"general","text":"In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.","title":"Vulnerability description"}],"product_status":{"known not affected":["SUSE Linux Enterprise Module for Legacy 12:ksh","SUSE Linux Enterprise Server 11 SP1 for Teradata:ksh","SUSE Linux Enterprise Server 11 SP3 for Teradata:ksh","SUSE Linux Enterprise Server 11 SP4 LTSS:ksh","SUSE Linux Enterprise Software Development Kit 12 SP4:ksh","SUSE Linux Enterprise Software Development Kit 12 SP4:ksh-devel","SUSE Linux Enterprise Software Development Kit 12 SP5:ksh","SUSE Linux Enterprise Software Development Kit 12 SP5:ksh-devel"]},"references":[{"category":"external","summary":"CVE-2019-14868","url":"https://www.suse.com/security/cve/CVE-2019-14868"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1160796 for CVE-2019-14868","url":"https://bugzilla.suse.com/1160796"}],"threats":[{"category":"impact","date":"2020-01-13T15:38:13Z","details":"moderate"}],"title":"CVE-2019-14868"}]}