CVE-2014-6271

Impact:
Critical
Public Date:
2014-09-24
IAVA:
2014-A-0142
CWE:
CWE-78
Bugzilla:
1141597: CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Find out more about CVE-2014-6271 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (bash) RHSA-2014:1293 2014-09-24
Red Hat Enterprise Linux Extended Update Support 6.4 (bash) RHSA-2014:1294 2014-09-24
Red Hat Enterprise Linux Long Life (v. 5.6 server) (bash) RHSA-2014:1294 2014-09-24
S-JIS for Red Hat Enteprise Linux 6 Server (bash) RHSA-2014:1295 2014-09-24
S-JIS for Red Hat Enteprise Linux 5 Server (bash) RHSA-2014:1295 2014-09-24
Red Hat Enterprise Linux 6 (bash) RHSA-2014:1293 2014-09-24
Red Hat Enterprise Linux EUS (v. 5.9 server) (bash) RHSA-2014:1294 2014-09-24
RHEV-M for Servers (rhev-hypervisor6) RHSA-2014:1354 2014-10-02
Red Hat Enterprise Linux Extended Lifecycle Support 4 (bash) RHSA-2014:1294 2014-09-24
Red Hat Enterprise Linux Advanced Update Support 6.2 (bash) RHSA-2014:1294 2014-09-24
Red Hat Enterprise Linux 7 (bash) RHSA-2014:1293 2014-09-24

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 rhel-guest-image Affected
Red Hat Enterprise Linux 6 guest-images Affected
Red Hat Enterprise Linux 3 bash Affected
RHEV-M for Servers rhev-hypervisor Affected

Acknowledgements

Red Hat would like to thank Stephane Chazelas for reporting this issue.

External References

Last Modified