CVE-2014-6271

CRITICAL severity · CVSS 9.8 · OS command injection · actively exploited (CISA KEV)

9.8CVSS CRITICAL ● exploited

🔴 Actively exploited in the wild (CISA Known Exploited Vulnerabilities). Added to KEV 2022-01-28. US federal agencies must patch by 2022-07-28.

Summary

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)94%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (5)

F5 BIG-IP Ubuntu Debian Red Hat Enterprise Linux SUSE Linux Enterprise

Recommendation

This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.

CVE-2014-6271

Summary

Impact & exploitability

Affected products we track (5)

Recommendation

Additional information