CVE-2014-6278

Public Date:
2014-09-29
IAVA:
2014-A-0142
CWE:
CWE-119
Bugzilla:
1147414: CVE-2014-6278 bash: incorrect parsing of function definitions with nested command substitutions

The MITRE CVE dictionary describes this issue as:

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Find out more about CVE-2014-6278 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat no longer considers this bug to be a security issue. The change introduced in bash errata RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 removed the exposure of the bash parser to untrusted input, mitigating this problem to a bug without security impact.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 bash Affected
Red Hat Enterprise Linux 6 bash Affected
Red Hat Enterprise Linux 5 bash Affected
Red Hat Enterprise Linux 4 bash Affected

Mitigation

Last Modified

CVE description copyright © 2017, The MITRE Corporation