GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
Published 2014-09-25 01:55:04
Updated 2021-11-17 22:15:37
Source MITRE
View at NVD,

CVE-2014-7169 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vulnerability in CVE-2014-6271.
Added on 2022-01-28 Action due date 2022-07-28

Exploit prediction scoring system (EPSS) score for CVE-2014-7169

Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-7169

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen

CWE ids for CVE-2014-7169

References for CVE-2014-7169

Products affected by CVE-2014-7169

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!