CVE-2014-6278 — Vulnetix

Try Vulnetix Request Demo

CVE-2014-6278 PUBLISHED KEV

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

EPSS 90.10% · 99.6th percentile

Risk Scores

EPSS Score

90.10%

99.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	bash	0, 4.2-5ubuntu3, 4.3-1ubuntu2

Timeline

Sep 16, 2010 PoC Published
Sep 25, 2014 CVE Published
Sep 27, 2014 PoC Published
Sep 30, 2014 CVE Updated
Oct 14, 2014 PoC Published
Oct 28, 2014 PoC Published
Sep 6, 2015 PoC Published
Mar 16, 2016 PoC Published
Jun 6, 2016 PoC Published
Oct 9, 2020 PoC Published
Feb 4, 2022 EPSS Score
May 19, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2014-6278 third-party-advisory
http://lcamtuf.blogspot.ca/2014/09/bash-bug-apply-unofficial-patch-now.html third-party-advisory
http://seclists.org/fulldisclosure/2014/Oct/9 third-party-advisory
http://lcamtuf.blogspot.ca/2014/10/bash-bug-how-we-finally-cracked.html third-party-advisory
https://ubuntu.com/security/notices/USN-2380-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2014-6278 third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory
Vulnérabilité dans GNU bash advisory

Open in Interactive Console →