Code Execution Vulnerability in GNU Bash by GNU
CVE-2014-6277

Currently unrated

Key Information:

Vendor: Gnu
Status: Bash
Vendor: CVE Published:; 27 September 2014

Summary

GNU Bash, through version 4.3, improperly parses function definitions in environment variables, enabling remote attackers to execute arbitrary code or induce a denial of service. This vulnerability arises from crafted environments that exploit command execution contexts across privilege boundaries, affecting various services such as OpenSSH's ForceCommand feature, Apache's mod_cgi and mod_cgid modules, and potentially untrusted scripts executed by DHCP clients. The issue stems from an incomplete fix related to previous vulnerabilities.

References

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897

x_refsource_CONFIRM

http://www-01.ibm.com/support/docview.wss?uid=swg21685749

x_refsource_CONFIRM

http://marc.info/?l=bugtraq&m=141577137423233&w=2

vendor-advisoryx_refsource_HP

EPSS Score

84% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Sep 27, 2014
Vulnerability Reserved
Sep 9, 2014