Vulnerability Details : CVE-2019-13638
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
Exploit prediction scoring system (EPSS) score for CVE-2019-13638
Probability of exploitation activity in the next 30 days: 0.39%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 70 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-13638
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-13638
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13638
-
https://access.redhat.com/errata/RHSA-2019:2964
RHSA-2019:2964 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2019:3758
RHSA-2019:3758 - Security Advisory - Red Hat Customer Portal
-
https://security-tracker.debian.org/tracker/CVE-2019-13638
CVE-2019-13638Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20190828-0001/
August 2019 GNU patch Vulnerabilities in NetApp Products | NetApp Product Security
-
https://seclists.org/bugtraq/2019/Jul/54
Bugtraq: [SECURITY] [DSA 4489-1] patch security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4489
Debian -- Security Information -- DSA-4489-1 patchThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
[SECURITY] Fedora 30 Update: patch-2.7.6-11.fc30 - package-announce - Fedora Mailing-Lists
-
https://access.redhat.com/errata/RHSA-2019:2798
RHSA-2019:2798 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2019:4061
RHSA-2019:4061 - Security Advisory - Red Hat Customer Portal
-
https://github.com/irsl/gnu-patch-vulnerabilities
GitHub - irsl/gnu-patch-vulnerabilities: The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here.
-
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
patch.git - GNU patchMailing List;Patch;Vendor Advisory
-
https://seclists.org/bugtraq/2019/Aug/29
Bugtraq: Details about recent GNU patch vulnerabilities
-
https://access.redhat.com/errata/RHSA-2019:3757
RHSA-2019:3757 - Security Advisory - Red Hat Customer Portal
-
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
GNU patch Command Injection / Directory Traversal ≈ Packet Storm
-
https://security.gentoo.org/glsa/201908-22
Patch: Multiple vulnerabilities (GLSA 201908-22) — Gentoo security
Products affected by CVE-2019-13638
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:patch:2.7.6:*:*:*:*:*:*:*