10

CVE-2014-6278

Warnung
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GnuBash Version1.14.0
GnuBash Version1.14.1
GnuBash Version1.14.2
GnuBash Version1.14.3
GnuBash Version1.14.4
GnuBash Version1.14.5
GnuBash Version1.14.6
GnuBash Version1.14.7
GnuBash Version2.0
GnuBash Version2.01
GnuBash Version2.01.1
GnuBash Version2.02
GnuBash Version2.02.1
GnuBash Version2.03
GnuBash Version2.04
GnuBash Version2.05
GnuBash Version2.05 Updatea
GnuBash Version2.05 Updateb
GnuBash Version3.0
GnuBash Version3.0.16
GnuBash Version3.1
GnuBash Version3.2
GnuBash Version3.2.48
GnuBash Version4.0
GnuBash Version4.0 Updaterc1
GnuBash Version4.1
GnuBash Version4.2
GnuBash Version4.3

02.10.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

GNU Bash OS Command Injection Vulnerability

Schwachstelle

GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.62% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://marc.info/?l=bugtraq&m=141383465822787&w=2
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21685604
Third Party Advisory
http://jvn.jp/en/jp/JVN55667175/index.html
Third Party Advisory
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
Mailing List
http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
Mailing List
http://marc.info/?l=bugtraq&m=141330468527613&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141345648114150&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141383026420882&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141383081521087&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141383196021590&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141383244821813&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141383304022067&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141383353622268&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141450491804793&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141576728022234&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141577137423233&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141577241923505&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141577297623641&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141585637922673&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=141879528318582&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=142118135300698&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=142358026505815&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=142358078406056&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=142721162228379&w=2
Third Party Advisory
http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
Third Party Advisory
http://secunia.com/advisories/58200
Broken Link
http://secunia.com/advisories/59907
Broken Link
http://secunia.com/advisories/60024
Broken Link
http://secunia.com/advisories/60034
Broken Link
http://secunia.com/advisories/60044
Broken Link
http://secunia.com/advisories/60055
Broken Link
http://secunia.com/advisories/60063
Broken Link
http://secunia.com/advisories/60193
Broken Link
http://secunia.com/advisories/60325
Broken Link
http://secunia.com/advisories/60433
Broken Link
http://secunia.com/advisories/61065
Broken Link
http://secunia.com/advisories/61128
Broken Link
http://secunia.com/advisories/61129
Broken Link
http://secunia.com/advisories/61283
Broken Link
http://secunia.com/advisories/61287
Broken Link
http://secunia.com/advisories/61291
Broken Link
http://secunia.com/advisories/61312
Broken Link
http://secunia.com/advisories/61313
Broken Link
http://secunia.com/advisories/61328
Broken Link
http://secunia.com/advisories/61442
Broken Link
http://secunia.com/advisories/61471
Broken Link
http://secunia.com/advisories/61485
Broken Link
http://secunia.com/advisories/61503
Broken Link
http://secunia.com/advisories/61550
Broken Link
http://secunia.com/advisories/61552
Broken Link
http://secunia.com/advisories/61565
Broken Link
http://secunia.com/advisories/61603
Broken Link
http://secunia.com/advisories/61633
Broken Link
http://secunia.com/advisories/61641
Broken Link
http://secunia.com/advisories/61643
Broken Link
http://secunia.com/advisories/61654
Broken Link
http://secunia.com/advisories/61703
Broken Link
http://secunia.com/advisories/61780
Broken Link
http://secunia.com/advisories/61816
Broken Link
http://secunia.com/advisories/61857
Broken Link
http://secunia.com/advisories/62312
Broken Link
http://secunia.com/advisories/62343
Third Party Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21685541
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21685733
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21685749
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21685914
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21686131
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21686246
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21686445
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21686479
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21686494
Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21687079
Third Party Advisory
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
Third Party Advisory
http://www.novell.com/support/kb/doc.php?id=7015721
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
Third Party Advisory
http://www.qnap.com/i/en/support/con_show.php?cid=61
Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2014-0010.html
Third Party Advisory
https://kb.bluecoat.com/index?page=content&id=SA82
Third Party Advisory
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10085
Third Party Advisory
https://support.citrix.com/article/CTX200217
Third Party Advisory
https://support.citrix.com/article/CTX200223
Third Party Advisory
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
Third Party Advisory
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006
Third Party Advisory
https://www.suse.com/support/shellshock/
Vendor Advisory
http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
Patch
Third Party Advisory
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
Third Party Advisory
http://linux.oracle.com/errata/ELSA-2014-3093
Third Party Advisory
http://linux.oracle.com/errata/ELSA-2014-3094
Third Party Advisory
http://secunia.com/advisories/59961
Broken Link
http://www.ubuntu.com/usn/USN-2380-1
Third Party Advisory
http://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.html
Third Party Advisory
http://support.novell.com/security/cve/CVE-2014-6278.html
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1147414
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2014-6278
Third Party Advisory
https://www.exploit-db.com/exploits/39568/
Third Party Advisory
https://www.exploit-db.com/exploits/39887/
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-6278
US Government Resource