Home

CVE-2014-6278

Description

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
89.736

Associated Vulnerability

VulnerabilityOS Platform
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) bash-4.2-82.1.x86_64.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) bash-debuginfo-4.2-82.1.x86_64.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) bash-debugsource-4.2-82.1.x86_64.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) bash-doc-4.2-82.1.noarch.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) bash-lang-4.2-82.1.noarch.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) libreadline6-6.2-82.1.x86_64.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) libreadline6-32bit-6.2-82.1.x86_64.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) libreadline6-debuginfo-6.2-82.1.x86_64.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) libreadline6-debuginfo-32bit-6.2-82.1.x86_64.rpmLinux
SUSE-SU-2016:2872-1(SUSE Linux Enterprise Desktop 12-SP1 ) readline-doc-6.2-82.1.noarch.rpmLinux
GNU Bash Environment Variable Command Injection Vulnerability For Cisco IOS XE SoftwareNCM
GNU Bash Environment Variable Command Injection Vulnerability For Cisco NX-OS SoftwareNCM
Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) Vulnerability (CVE-2014-6278)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-1706107Security Update for Cisco IOS XE Software 5.2(1)SV5(1.3a)
PATCH-1706149Security Update for Cisco NX-OS Software 4.1(3a)UCSM

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234