10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | bash | < 4.3-9.2 | bash_4.3-9.2_all.deb |
Debian | 11 | all | bash | < 4.3-9.2 | bash_4.3-9.2_all.deb |
Debian | 10 | all | bash | < 4.3-9.2 | bash_4.3-9.2_all.deb |
Debian | 999 | all | bash | < 4.3-9.2 | bash_4.3-9.2_all.deb |
Debian | 13 | all | bash | < 4.3-9.2 | bash_4.3-9.2_all.deb |