CVSS: 2.1EPSS: 0%CPEs: 5EXPL: 1CVE-2010-0002 – GNU Bash 4.0 - 'ls' Control Character Command Injection
https://notcve.org/view.php?id=CVE-2010-0002
The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename. La secuencia de comandos /etc/profile.d/60alias.sh en el paquete Mandriva bash para Bash v2.05b, v3.0, v3.2, v3.2.48, y v4.0 activa la opción --show-control-chars en LS_OPTIONS, lo que permite a usuarios locales enviar secuencias de escape a los emuladores de terminal o esconder un archivo, a través del nombre de un nombre de archivo manipulado. • https://www.exploit-db.com/exploits/33508 http://www.mandriva.com/security/advisories?name=MDVSA-2010:004 https://qa.mandriva.com/show_bug.cgi?id=56882 • CWE-20: Improper Input Validation •
CVSS: 4.6EPSS: 0%CPEs: 17EXPL: 1CVE-1999-0491 – GNU GNU bash 1.14 - Path Embedded Code Execution
https://notcve.org/view.php?id=CVE-1999-0491
The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. • https://www.exploit-db.com/exploits/19095 ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-008.0.txt http://www.securityfocus.com/bid/119 http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9904202114070.6623-100000%40smooth.Operator.org • CWE-94: Improper Control of Generation of Code ('Code Injection') •