NVD

CVE-2014-6278 Detail

Modified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Description

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: 10.0 HIGH

Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://jvn.jp/en/jp/JVN55667175/index.html
http://jvn.jp/en/jp/JVN55667175/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html	Patch
http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html	Patch
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
http://linux.oracle.com/errata/ELSA-2014-3093
http://linux.oracle.com/errata/ELSA-2014-3093
http://linux.oracle.com/errata/ELSA-2014-3094
http://linux.oracle.com/errata/ELSA-2014-3094
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
http://marc.info/?l=bugtraq&m=141330468527613&w=2
http://marc.info/?l=bugtraq&m=141330468527613&w=2
http://marc.info/?l=bugtraq&m=141345648114150&w=2
http://marc.info/?l=bugtraq&m=141345648114150&w=2
http://marc.info/?l=bugtraq&m=141383026420882&w=2
http://marc.info/?l=bugtraq&m=141383026420882&w=2
http://marc.info/?l=bugtraq&m=141383081521087&w=2
http://marc.info/?l=bugtraq&m=141383081521087&w=2
http://marc.info/?l=bugtraq&m=141383196021590&w=2
http://marc.info/?l=bugtraq&m=141383196021590&w=2
http://marc.info/?l=bugtraq&m=141383244821813&w=2
http://marc.info/?l=bugtraq&m=141383244821813&w=2
http://marc.info/?l=bugtraq&m=141383304022067&w=2
http://marc.info/?l=bugtraq&m=141383304022067&w=2
http://marc.info/?l=bugtraq&m=141383353622268&w=2
http://marc.info/?l=bugtraq&m=141383353622268&w=2
http://marc.info/?l=bugtraq&m=141383465822787&w=2
http://marc.info/?l=bugtraq&m=141383465822787&w=2
http://marc.info/?l=bugtraq&m=141450491804793&w=2
http://marc.info/?l=bugtraq&m=141450491804793&w=2
http://marc.info/?l=bugtraq&m=141576728022234&w=2
http://marc.info/?l=bugtraq&m=141576728022234&w=2
http://marc.info/?l=bugtraq&m=141577137423233&w=2
http://marc.info/?l=bugtraq&m=141577137423233&w=2
http://marc.info/?l=bugtraq&m=141577241923505&w=2
http://marc.info/?l=bugtraq&m=141577241923505&w=2
http://marc.info/?l=bugtraq&m=141577297623641&w=2
http://marc.info/?l=bugtraq&m=141577297623641&w=2
http://marc.info/?l=bugtraq&m=141585637922673&w=2
http://marc.info/?l=bugtraq&m=141585637922673&w=2
http://marc.info/?l=bugtraq&m=141879528318582&w=2
http://marc.info/?l=bugtraq&m=141879528318582&w=2
http://marc.info/?l=bugtraq&m=141879528318582&w=2
http://marc.info/?l=bugtraq&m=141879528318582&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142358026505815&w=2
http://marc.info/?l=bugtraq&m=142358026505815&w=2
http://marc.info/?l=bugtraq&m=142358026505815&w=2
http://marc.info/?l=bugtraq&m=142358026505815&w=2
http://marc.info/?l=bugtraq&m=142358078406056&w=2
http://marc.info/?l=bugtraq&m=142358078406056&w=2
http://marc.info/?l=bugtraq&m=142721162228379&w=2
http://marc.info/?l=bugtraq&m=142721162228379&w=2
http://marc.info/?l=bugtraq&m=142721162228379&w=2
http://marc.info/?l=bugtraq&m=142721162228379&w=2
http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
http://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.html
http://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.html
http://secunia.com/advisories/58200
http://secunia.com/advisories/58200
http://secunia.com/advisories/59907
http://secunia.com/advisories/59907
http://secunia.com/advisories/59961
http://secunia.com/advisories/59961
http://secunia.com/advisories/60024
http://secunia.com/advisories/60024
http://secunia.com/advisories/60034
http://secunia.com/advisories/60034
http://secunia.com/advisories/60044
http://secunia.com/advisories/60044
http://secunia.com/advisories/60055
http://secunia.com/advisories/60055
http://secunia.com/advisories/60063
http://secunia.com/advisories/60063
http://secunia.com/advisories/60193
http://secunia.com/advisories/60193
http://secunia.com/advisories/60325
http://secunia.com/advisories/60325
http://secunia.com/advisories/60433
http://secunia.com/advisories/60433
http://secunia.com/advisories/61065
http://secunia.com/advisories/61065
http://secunia.com/advisories/61128
http://secunia.com/advisories/61128
http://secunia.com/advisories/61129
http://secunia.com/advisories/61129
http://secunia.com/advisories/61283
http://secunia.com/advisories/61283
http://secunia.com/advisories/61287
http://secunia.com/advisories/61287
http://secunia.com/advisories/61291
http://secunia.com/advisories/61291
http://secunia.com/advisories/61312
http://secunia.com/advisories/61312
http://secunia.com/advisories/61313
http://secunia.com/advisories/61313
http://secunia.com/advisories/61328
http://secunia.com/advisories/61328
http://secunia.com/advisories/61442
http://secunia.com/advisories/61442
http://secunia.com/advisories/61471
http://secunia.com/advisories/61471
http://secunia.com/advisories/61485
http://secunia.com/advisories/61485
http://secunia.com/advisories/61503
http://secunia.com/advisories/61503
http://secunia.com/advisories/61550
http://secunia.com/advisories/61550
http://secunia.com/advisories/61552
http://secunia.com/advisories/61552
http://secunia.com/advisories/61565
http://secunia.com/advisories/61565
http://secunia.com/advisories/61603
http://secunia.com/advisories/61603
http://secunia.com/advisories/61633
http://secunia.com/advisories/61633
http://secunia.com/advisories/61641
http://secunia.com/advisories/61641
http://secunia.com/advisories/61643
http://secunia.com/advisories/61643
http://secunia.com/advisories/61654
http://secunia.com/advisories/61654
http://secunia.com/advisories/61703
http://secunia.com/advisories/61703
http://secunia.com/advisories/61780
http://secunia.com/advisories/61780
http://secunia.com/advisories/61816
http://secunia.com/advisories/61816
http://secunia.com/advisories/61857
http://secunia.com/advisories/61857
http://secunia.com/advisories/62312
http://secunia.com/advisories/62312
http://secunia.com/advisories/62343
http://secunia.com/advisories/62343
http://support.novell.com/security/cve/CVE-2014-6278.html
http://support.novell.com/security/cve/CVE-2014-6278.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
http://www-01.ibm.com/support/docview.wss?uid=swg21685541
http://www-01.ibm.com/support/docview.wss?uid=swg21685541
http://www-01.ibm.com/support/docview.wss?uid=swg21685604
http://www-01.ibm.com/support/docview.wss?uid=swg21685604
http://www-01.ibm.com/support/docview.wss?uid=swg21685733
http://www-01.ibm.com/support/docview.wss?uid=swg21685733
http://www-01.ibm.com/support/docview.wss?uid=swg21685749
http://www-01.ibm.com/support/docview.wss?uid=swg21685749
http://www-01.ibm.com/support/docview.wss?uid=swg21685914
http://www-01.ibm.com/support/docview.wss?uid=swg21685914
http://www-01.ibm.com/support/docview.wss?uid=swg21686131
http://www-01.ibm.com/support/docview.wss?uid=swg21686131
http://www-01.ibm.com/support/docview.wss?uid=swg21686246
http://www-01.ibm.com/support/docview.wss?uid=swg21686246
http://www-01.ibm.com/support/docview.wss?uid=swg21686445
http://www-01.ibm.com/support/docview.wss?uid=swg21686445
http://www-01.ibm.com/support/docview.wss?uid=swg21686479
http://www-01.ibm.com/support/docview.wss?uid=swg21686479
http://www-01.ibm.com/support/docview.wss?uid=swg21686494
http://www-01.ibm.com/support/docview.wss?uid=swg21686494
http://www-01.ibm.com/support/docview.wss?uid=swg21687079
http://www-01.ibm.com/support/docview.wss?uid=swg21687079
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
http://www.novell.com/support/kb/doc.php?id=7015721
http://www.novell.com/support/kb/doc.php?id=7015721
http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
http://www.qnap.com/i/en/support/con_show.php?cid=61
http://www.qnap.com/i/en/support/con_show.php?cid=61
http://www.ubuntu.com/usn/USN-2380-1
http://www.ubuntu.com/usn/USN-2380-1
http://www.vmware.com/security/advisories/VMSA-2014-0010.html
http://www.vmware.com/security/advisories/VMSA-2014-0010.html
https://bugzilla.redhat.com/show_bug.cgi?id=1147414
https://bugzilla.redhat.com/show_bug.cgi?id=1147414
https://kb.bluecoat.com/index?page=content&id=SA82
https://kb.bluecoat.com/index?page=content&id=SA82
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
https://kc.mcafee.com/corporate/index?page=content&id=SB10085
https://kc.mcafee.com/corporate/index?page=content&id=SB10085
https://security-tracker.debian.org/tracker/CVE-2014-6278
https://security-tracker.debian.org/tracker/CVE-2014-6278
https://support.citrix.com/article/CTX200217
https://support.citrix.com/article/CTX200217
https://support.citrix.com/article/CTX200223
https://support.citrix.com/article/CTX200223
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
https://www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006
https://www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006
https://www.exploit-db.com/exploits/39568/
https://www.exploit-db.com/exploits/39568/
https://www.exploit-db.com/exploits/39887/
https://www.exploit-db.com/exploits/39887/
https://www.suse.com/support/shellshock/
https://www.suse.com/support/shellshock/

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

18 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2014-6278
NVD Published Date:
09/30/2014
NVD Last Modified:
11/20/2024
Source:
Debian GNU/Linux

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2014-6278 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by CVE 11/20/2024 9:14:05 PM

CVE Modified by Debian GNU/Linux 5/13/2024 11:19:21 PM

CVE Modified by Debian GNU/Linux 11/17/2021 5:15:36 PM

CVE Modified by Debian GNU/Linux 11/09/2021 8:15:23 PM

CVE Modified by Debian GNU/Linux 11/05/2021 1:15:09 PM

CVE Modified by Debian GNU/Linux 8/08/2018 9:29:01 PM

CVE Modified by Debian GNU/Linux 9/07/2017 9:29:13 PM

CVE Modified by Debian GNU/Linux 1/02/2017 9:59:08 PM

CVE Modified by Debian GNU/Linux 6/14/2016 9:59:14 PM

CVE Modified by Debian GNU/Linux 6/10/2016 10:00:00 PM

CVE Modified by Debian GNU/Linux 5/11/2015 10:01:46 PM

CVE Modified by Debian GNU/Linux 3/26/2015 9:59:31 PM

CVE Modified by Debian GNU/Linux 3/17/2015 10:02:02 PM

CVE Modified by Debian GNU/Linux 3/11/2015 10:00:07 PM

CVE Modified by Debian GNU/Linux 12/23/2014 10:00:24 PM

CVE Modified by Debian GNU/Linux 11/19/2014 9:59:31 PM

CVE Modified by Debian GNU/Linux 11/13/2014 10:07:22 PM

Initial CVE Analysis 9/30/2014 2:28:11 PM

Quick Info