OS Command Injection Vulnerability in GNU Patch Software
CVE-2019-13638

7.8HIGH

Key Information:

Vendor

Gnu
Status
Patch
Vendor
CVE Published:
26 July 2019

What is CVE-2019-13638?

GNU Patch, up to version 2.7.6, is susceptible to a vulnerability that allows for OS shell command injection. This can occur when a specially crafted patch file containing an ed-style diff payload with shell metacharacters is opened. Importantly, the 'ed' editor is not required to be present on the system for the exploit to succeed. This security flaw presents critical implications for systems where the patch utility is used, potentially enabling an attacker to execute arbitrary commands within the host environment.

References

https://security-tracker.debian.org/tracker/CVE-2019-13638
x_refsource_MISC
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3f...
x_refsource_MISC
https://www.debian.org/security/2019/dsa-4489
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-13638 : OS Command Injection Vulnerability in GNU Patch Software