CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 4CVE-2019-18276 – bash: when effective UID is not equal to its real UID the saved UID is not dropped
https://notcve.org/view.php?id=CVE-2019-18276
An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. • https://github.com/M-ensimag/CVE-2019-18276 https://github.com/SABI-Ensimag/CVE-2019-18276 http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E https://security.gentoo.org/glsa/202105-34 https://security.netapp.com/advisory/ntap-20200430-0003 https://www.oracle.com/security-alerts/cp • CWE-271: Privilege Dropping / Lowering Errors CWE-273: Improper Check for Dropped Privileges •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2012-6711
https://notcve.org/view.php?id=CVE-2012-6711
A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv(). Existe un desbordamiento de búfer basado en el heap en GNU Bash antes de 4.3 cuando los caracteres anchos, no admitidos por la configuración regional actual establecida en la variable de entorno LC_CTYPE, se imprimen a través de la función incorporada de eco. Un atacante local, que puede proporcionar datos para imprimir a través de la función incorporada "echo -e", puede usar esta falla para bloquear un script o ejecutar código con los privilegios del proceso de bash. • http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5 http://www.securityfocus.com/bid/108824 https://bugzilla.redhat.com/show_bug.cgi?id=1721071 https://support.f5.com/csp/article/K05122252 https://support.f5.com/csp/article/K05122252?utm_source=f5support&%3Butm_medium=RSS https://usn.ubuntu.com/4180-1 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2019-9924 – bash: BASH_CMD is writable in restricted bash shells
https://notcve.org/view.php?id=CVE-2019-9924
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell. rbash en Bash • http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65 http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441 https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html https://security.netapp.com/advisory/ntap-20190411-0001 https://usn.ubuntu.com/4058-1 https://usn.ubuntu.com/4058-2 https://access.redhat.com/security/cve/CVE-2019-9924 https://bugzilla.r • CWE-138: Improper Neutralization of Special Elements CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 22EXPL: 0CVE-2016-9401 – bash: popd controlled free
https://notcve.org/view.php?id=CVE-2016-9401
popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address. popd en bash podrían permitir a usuarios locales eludir el shell restringido y provocar un uso después de liberación de memoria a través de una dirección manipulada. A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. • http://rhn.redhat.com/errata/RHSA-2017-0725.html http://www.openwall.com/lists/oss-security/2016/11/17/5 http://www.openwall.com/lists/oss-security/2016/11/17/9 http://www.securityfocus.com/bid/94398 https://access.redhat.com/errata/RHSA-2017:1931 https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html https://security.gentoo.org/glsa/201701-02 https://access.redhat.com/security/cve/CVE-2016-9401 https://bugzilla.redhat.com/show_bug.cgi?id=1396383 • CWE-416: Use After Free •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2016-7543 – bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution
https://notcve.org/view.php?id=CVE-2016-7543
Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables. Bash en versiones anteriores a 4.4 permite a usuarios locales ejecutar comandos arbitrarios con privilegios root a través de variables de entorno SHELLOPTS y PS4 manipuladas. An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. • http://rhn.redhat.com/errata/RHSA-2017-0725.html http://www.openwall.com/lists/oss-security/2016/09/26/9 http://www.securityfocus.com/bid/93183 http://www.securitytracker.com/id/1037812 https://access.redhat.com/errata/RHSA-2017:1931 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05388115 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7XOQSHU63Y357NHU5FPTFBM6I3YOCQB https://lists.fedoraproject.org/archives/list&#x • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •