GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
References
Configurations
Configuration 1 (hide)
|
History
17 Nov 2021, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Nov 2021, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
05 Nov 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Feb 2021, 21:38
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/161107/SonicWall-SSL-VPN-Shellshock-Remote-Code-Execution.html - Third Party Advisory, VDB Entry |
26 Jan 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2014-09-24 18:48
Updated : 2023-12-10 11:31
NVD link : CVE-2014-6271
Mitre link : CVE-2014-6271
CVE.ORG link : CVE-2014-6271
JSON object : View
Products Affected
gnu
- bash
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')