10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
GNU Bash through 4.3 bash43-025 processes trailing strings after certain
malformed function definitions in the values of environment variables,
which allows remote attackers to write to files or possibly have unknown
other impact via a crafted environment, as demonstrated by vectors
involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and
mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified
DHCP clients, and other situations in which setting the environment occurs
across a privilege boundary from Bash execution. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2014-6271.
Author | Note |
---|---|
mdeslaur | It was discovered that a build issue preventing the fix from being applied properly in the 4.3-7ubuntu1.2 package for Ubuntu 14.04 LTS. A respin was released to 4.3-7ubuntu1.3 to correct the issue, and USN-2363-2 was published. |
www.openwall.com/lists/oss-security/2014/09/25/5
launchpad.net/bugs/cve/CVE-2014-7169
nvd.nist.gov/vuln/detail/CVE-2014-7169
security-tracker.debian.org/tracker/CVE-2014-7169
twitter.com/taviso/status/514887394294652929
ubuntu.com/security/notices/USN-2363-1
ubuntu.com/security/notices/USN-2363-2
www.cve.org/CVERecord?id=CVE-2014-7169