CVE-2014-6278

CVE Details

Release Date:2014-09-29

Description


GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

See more information about CVE-2014-6278 from MITRE CVE dictionary and NIST NVD


CVSS v2.0 metrics


NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.

Base Score: 7.5 Base Metrics: AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector: Network Attack Complexity: Low
Authentication: None required Confidentiality Impact: Partial
Integrity Impact: Partial Availability Impact: Partial

Errata information


PlatformErrataRelease Date
Oracle Linux version 5 (bash)ELSA-2014-30942014-11-20
Oracle Linux version 6 (bash)ELSA-2014-30932014-11-20
Oracle Linux version 7 (bash)ELSA-2014-30922014-11-20



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete