CVE-2014-7169

CRITICAL severity · CVSS 9.8 · OS command injection · actively exploited (CISA KEV)

9.8CVSS CRITICAL ● exploited

🔴 Actively exploited in the wild (CISA Known Exploited Vulnerabilities). Added to KEV 2022-01-28. US federal agencies must patch by 2022-07-28.

Summary

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)89%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (5)

F5 BIG-IP Ubuntu Debian Red Hat Enterprise Linux SUSE Linux Enterprise

Recommendation

This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.

CVE-2014-7169

Summary

Impact & exploitability

Affected products we track (5)

Recommendation

Additional information