Vulnerability Details : CVE-2016-7543
Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.
Vulnerability category: Input validation
Products affected by CVE-2016-7543
- cpe:2.3:a:gnu:bash:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-7543
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-7543
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
8.4
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.5
|
5.9
|
NIST |
CWE ids for CVE-2016-7543
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-7543
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7XOQSHU63Y357NHU5FPTFBM6I3YOCQB/
[SECURITY] Fedora 25 Update: bash-4.3.43-4.fc25 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html
Bash-4.4 Release availablePatch;Vendor Advisory
-
https://security.gentoo.org/glsa/201701-02
Bash: Multiple vulnerabilities (GLSA 201701-02) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OU3C756YPHDAAPFX76UGZBAQQQ5UMHS5/
[SECURITY] Fedora 24 Update: bash-4.3.42-7.fc24 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
http://www.securityfocus.com/bid/93183
GNU Bash CVE-2016-7543 Local Command Execution VulnerabilityThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1037812
HPE NonStop Server Bash Shell Lets Local Users Obtain Root Privileges - SecurityTracker
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2VRBSIPZDZ75ZQ2DLITHUIDW4W26KVR/
[SECURITY] Fedora 23 Update: bash-4.3.42-5.fc23 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1931
RHSA-2017:1931 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2017-0725.html
RHSA-2017:0725 - Security Advisory - Red Hat Customer Portal
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05388115
HPESBNS03702 rev.1 - HPE NonStop OSS Core Utilities with Bash Shell, Local Arbitrary Command Execution, Elevation of Privilege
-
http://www.openwall.com/lists/oss-security/2016/09/26/9
oss-security - CVE-2016-7543 -- bash SHELLOPTS+PS4Mailing List;Third Party Advisory
Jump to