CVE-2019-13638
patch: OS shell command injection when processing crafted patch files
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
RouterOS de Mikrotik anterior a versión 6.44.5 (árbol de actualizaciones a largo plazo) es vulnerable al agotamiento de la memoria. Mediante el envío de una petición HTTP diseñada, un atacante remoto autenticado puede bloquear el servidor HTTP y, en algunas circunstancias, reiniciar el sistema. El código no puede ser inyectado.
A flaw was found in GNU patch through version 2.7.6. An ed-style diff payload patch file with shell metacharacters can be used to inject OS shell commands into a system. The ed editor does not need to be present on the vulnerable system for this attack to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file. Issues addressed include a code execution vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-07-17 CVE Reserved
- 2019-07-24 CVE Published
- 2019-08-16 First Exploit
- 2024-08-04 CVE Updated
- 2025-08-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (18)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html | X_refsource_misc |
|
| https://github.com/irsl/gnu-patch-vulnerabilities | X_refsource_misc | |
| https://seclists.org/bugtraq/2019/Aug/29 | Mailing List |
|
| https://seclists.org/bugtraq/2019/Jul/54 | Mailing List |
|
| https://security-tracker.debian.org/tracker/CVE-2019-13638 | Third Party Advisory | |
| https://security.netapp.com/advisory/ntap-20190828-0001 | X_refsource_confirm |
|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/154124 | 2019-08-16 |
| URL | Date | SRC |
|---|---|---|
| https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gnu Search vendor "Gnu" | Patch Search vendor "Gnu" for product "Patch" | 2.7.6 Search vendor "Gnu" for product "Patch" and version "2.7.6" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||