VDB
ALPINE-CVE-2019-13638
ALPINE-CVE-2019-13638
PUBLISHED
CVSS 7.800000190734863 HIGH
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
Risk Scores
CVSS v3.0
7.800000190734863
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.8 | patch | 0, 2.7.6-r3, 2.7.6-r2 |
| Alpine:v3.18 | patch | 2.7.6-r5, 2.7.6-r5, 2.7.6-r4 |
| Alpine:v3.21 | patch | 2.6.1-r3, 2.7.3-r0, 2.7.1-r1 |
| Alpine:v3.17 | patch | 2.7.6-r2, 2.5.9-r0, 2.6.1-r0 |
| Alpine:v3.7 | patch | 2.5.9-r0, 2.7.5-r3, 2.7.5-r2 |
| Alpine:v3.12 | patch | 2.7.6-r5, 2.7.3-r0, 2.7.6-r1 |
| Alpine:v3.14 | patch | 2.6.1-r0, 0, 2.5.9-r0 |
| Alpine:v3.16 | patch | 2.6.1-r0, 2.7.6-r5, 2.5.9-r0 |
| Alpine:v3.11 | patch | 2.7.6-r5, 2.7.6-r3, 2.7.6-r2 |
| Alpine:v3.23 | patch | 0, 2.7.6-r5, 2.7.6-r4 |
| Alpine:v3.19 | patch | 0, 2.6-r0, 2.6.1-r0 |
| Alpine:v3.15 | patch | 2.6.1-r2, 0, 2.5.9-r0 |
| Alpine:v3.9 | patch | 2.5.9-r0, 2.6-r0, 2.6.1-r0 |
| Alpine:v3.13 | patch | 2.5.9-r0, 2.6-r0, 2.6.1-r0 |
| Alpine:v3.22 | patch | 2.7.6-r4, 2.7.6-r5, 2.7.6-r4 |
| Alpine:v3.20 | patch | 2.7-r0, 2.7.6-r5, 0 |
| Alpine:v3.10 | patch | 0, 2.6-r0, 2.6.1-r0 |
Timeline
- Jul 26, 2019 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch