Stephane Chazelas discovered that Bash incorrectly handled trailing code in
function definitions. An attacker could use this issue to bypass
environment restrictions, such as SSH forced command environments.

OSVersionArchitecturePackageVersionFilename
Ubuntu14.04noarchbash< 4.3-7ubuntu1.1UNKNOWN
Ubuntu14.04noarchbash-builtins< 4.3-7ubuntu1.1UNKNOWN
Ubuntu14.04noarchbash-static< 4.3-7ubuntu1.1UNKNOWN
Ubuntu12.04noarchbash< 4.2-2ubuntu2.2UNKNOWN
Ubuntu12.04noarchbash-builtins< 4.2-2ubuntu2.2UNKNOWN
Ubuntu12.04noarchbash-static< 4.2-2ubuntu2.2UNKNOWN
Ubuntu10.04noarchbash< 4.1-2ubuntu3.1UNKNOWN
Ubuntu10.04noarchbash-builtins< 4.1-2ubuntu3.1UNKNOWN
Ubuntu10.04noarchbash-static< 4.1-2ubuntu3.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	14.04	noarch	bash	< 4.3-7ubuntu1.1	UNKNOWN
Ubuntu	14.04	noarch	bash-builtins	< 4.3-7ubuntu1.1	UNKNOWN
Ubuntu	14.04	noarch	bash-static	< 4.3-7ubuntu1.1	UNKNOWN
Ubuntu	12.04	noarch	bash	< 4.2-2ubuntu2.2	UNKNOWN
Ubuntu	12.04	noarch	bash-builtins	< 4.2-2ubuntu2.2	UNKNOWN
Ubuntu	12.04	noarch	bash-static	< 4.2-2ubuntu2.2	UNKNOWN
Ubuntu	10.04	noarch	bash	< 4.1-2ubuntu3.1	UNKNOWN
Ubuntu	10.04	noarch	bash-builtins	< 4.1-2ubuntu3.1	UNKNOWN
Ubuntu	10.04	noarch	bash-static	< 4.1-2ubuntu3.1	UNKNOWN

References

ubuntu.com/security/CVE-2014-6271

zdt 19

exploitpack 8

nessus 36

redhat 3

openvas 27

thn 3

packetstorm 26

saint 12

debian 5

exploitdb 4

hackerone 1

myhack58 2

gentoo 2

amazon 1

suse 6

securityvulns 7

oraclelinux 2

seebug 3

fedora 3

osv 1

cisa_kev 2

metasploit 2

centos 1

slackware 2

threatpost 3

kitploit 1

mageia 2

checkpoint_security 1

prion 3

debiancve 2

paloalto 1

attackerkb 1

freebsd 1

veracode 1

symantec 1

ics 1

cve 1

impervablog 1

ubuntucve 1

zdt

Bash Environment Variables Code Injection Exploit

2014-09-25 00:00:00

IPFire - Bash Environment Variable Injection (Shellshock)

2016-06-10 00:00:00

Pure-FTPd External Authentication Bash Environment Variable Code Injection Exploit

2014-10-02 00:00:00

exploitpack

GNU Bash - Environment Variable Command Injection (Metasploit)

2014-09-25 00:00:00

OpenVPN 2.2.29 - Shellshock Remote Command Injection

2014-10-04 00:00:00

Cisco Unified Communications Manager - Multiple Vulnerabilities

2015-08-18 00:00:00

nessus

CentOS 5 / 6 / 7 : bash (CESA-2014:1293) (Shellshock)

2014-09-25 00:00:00

Oracle Linux 4 : bash (ELSA-2014-1294) (Shellshock)

2014-09-25 00:00:00

SIP Script Remote Command Execution via Shellshock

2014-11-03 00:00:00

redhat

(RHSA-2014:1295) Critical: bash Shift_JIS security update

2014-09-24 00:00:00

(RHSA-2014:1294) Critical: bash security update

2014-09-24 00:00:00

(RHSA-2014:1293) Critical: bash security update

2014-09-24 00:00:00

openvas

Debian Security Advisory DSA 3032-1 (bash - security update)

2014-09-24 00:00:00

Debian: Security Advisory (DLA-59-1)

2023-03-08 00:00:00

SUSE: Security Advisory for bash (SUSE-SU-2014:1260-1)

2015-10-16 00:00:00

thn

Remotely Exploitable 'Bash Shell' Vulnerability Affects Linux, Unix and Apple Mac OS X

2014-09-24 20:19:00

BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox

2014-11-17 03:01:00

Hackers Using 'Shellshock' Bash Vulnerability to Launch Botnet Attacks

2014-09-26 20:07:00

packetstorm

FutureNet NXR-G240 Series ShellShock Command Injection

2018-12-07 00:00:00

Pure-FTPd External Authentication Bash Environment Variable Code Injection

2014-10-02 00:00:00

Cisco Unified Communications Manager Command Execution

2015-08-13 00:00:00

saint

Bash environment variable code injection over HTTP

2014-09-26 00:00:00

ShellShock DHCP Server

2014-11-20 00:00:00

Bash Environment Variable Handling Shell Command Injection Via CUPS

2014-11-05 00:00:00

debian

[SECURITY] [DSA 3032-1] bash security update

2014-09-24 14:06:06

[SECURITY] [email protected]

2014-09-24 15:22:27

[SECURITY] [email protected]

2014-09-24 15:22:47

exploitdb

Qmail SMTP 1.03 - Bash Environment Variable Injection

2020-07-08 00:00:00

IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)

2016-06-10 00:00:00

RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection

2016-12-18 00:00:00

hackerone

Internet Bug Bounty: GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability

2014-09-24 00:00:00

myhack58

From the parsing perspective analysis of the Shellshock Vulnerability[CVE-2 0 1 4-6 2 7 1]-vulnerability warning-the black bar safety net

2014-09-28 00:00:00

bash code injection security vulnerability-vulnerability warning-the black bar safety net

2014-09-28 00:00:00

gentoo

Bash: Code Injection

2014-09-24 00:00:00

Bash: Code Injection (Updated fix for GLSA 201409-09)

2014-09-25 00:00:00

amazon

Critical: bash

2014-09-24 07:48:00

suse

bash (critical)

2014-09-30 17:06:26

Security update for bash (critical)

2014-09-27 01:04:16

Important security fix for bash that allows the injection of commands. (important)

2014-09-28 12:09:20

securityvulns

Re: [oss-security] CVE-2014-6271: remote code execution through bash

2014-09-25 00:00:00

Re: [oss-security] CVE-2014-6271: remote code execution through bash

2014-09-25 00:00:00

Cisco Unified Communications Manager Multiple Vulnerabilities (VP2015-001)

2015-08-17 00:00:00

oraclelinux

bash security update

2014-09-24 00:00:00

bash security update

2014-09-24 00:00:00

seebug

GNU bash Environment Variable Command Injection (MSF)

2014-09-29 00:00:00

IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit

2014-10-10 00:00:00

OpenVPN 2.2.29 - ShellShock Exploit

2014-10-10 00:00:00

fedora

[SECURITY] Fedora 21 Update: bash-4.3.22-3.fc21

2014-09-27 10:03:24

[SECURITY] Fedora 20 Update: bash-4.2.48-2.fc20

2014-09-26 09:03:00

[SECURITY] Fedora 19 Update: bash-4.2.48-2.fc19

2014-09-26 09:00:48

osv

bash - security update

2014-09-24 00:00:00

cisa_kev

GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability

2022-01-28 00:00:00

GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability

2022-01-28 00:00:00

metasploit

IPFire Bash Environment Variable Injection (Shellshock)

2016-05-30 00:40:12

Advantech Switch Bash Environment Variable Code Injection (Shellshock)

2015-12-01 17:33:45

centos

bash security update

2014-09-24 15:07:20

slackware

[slackware-security] bash

2014-09-29 19:33:36

[slackware-security] bash

2014-09-24 23:37:00

threatpost

Patching Bash Vulnerability a Challenge for ICS, SCADA

2014-09-25 14:34:38

Bash Botnet Exploit Found, Bash Patches Incomplete

2014-09-25 11:41:51

Bash Vulnerability Exploits Dropping DDoS Bots

2014-09-25 16:30:59

kitploit

xShock - Shellshock Exploit

2020-03-19 11:30:00

mageia

Updated bash packages fix CVE-2014-6271

2014-09-24 22:42:05

Updated bash packages fix CVE-2014-7169

2014-09-28 16:17:31

checkpoint_security

Check Point Response to CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability

2014-09-24 21:00:00

prion

Design/Logic Flaw

2014-09-25 01:55:00

Design/Logic Flaw

2014-09-24 18:48:00

Design/Logic Flaw

2015-01-13 11:59:00

debiancve

CVE-2014-6271

2014-09-24 18:48:00

CVE-2014-7169

2014-09-25 01:55:00

paloalto

Bash Shell remote code execution (CVE-2014-6271, CVE-2014-7169)

2014-09-24 00:00:00

attackerkb

CVE-2014-7169

2014-09-25 00:00:00

freebsd

bash -- remote code execution vulnerability

2014-09-24 00:00:00

veracode

Remote Code Execution (RCE)

2019-01-15 09:01:57

symantec

GNU Bash CVE-2014-6271 Remote Code Execution Vulnerability

2014-09-24 00:00:00

ics

Bash Command Injection Vulnerability (Update A)

2018-09-06 12:00:00

cve

CVE-2014-7169

2014-09-25 01:55:00

impervablog

Log4j: One Year Later

2022-12-09 12:38:39

ubuntucve

CVE-2014-7169

2014-09-25 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
OpenSource

@2024 Vulners Inc

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON

Related for USN-2362-1