Fluid Attacks Database

Description

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	bash	>=0 <4.3-9.2	4.3-9.2
debian 13	bash	>=0 <4.3-9.2	4.3-9.2
debian 14	bash	>=0 <4.3-9.2	4.3-9.2
debian 12	bash	>=0 <4.3-9.2	4.3-9.2
rpm rhel5.9	bash	<0:3.2-32.el5_9.3	0:3.2-32.el5_9.3
rpm rhel6.4	bash	<0:4.1.2-15.el6_4.2	0:4.1.2-15.el6_4.2
rpm rhel7	bash	<0:4.2.45-5.el7_0.4	0:4.2.45-5.el7_0.4
rpm rhel5	bash	<0:3.2-33.el5_11.4	0:3.2-33.el5_11.4
rpm rhel6	bash	<0:4.1.2-15.el6_5.2	0:4.1.2-15.el6_5.2

Aliases

1. CVE-2014-71692. NVD-2014-71693. OSV-DEBIAN-2014-71694. OSV-2014-71695. SECURITY-TRACKER-CVE-2014-7169

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.