CVE-2014-6271
CRITICALCISA KEVEPSS 100th pctlDescription
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code.
Apply updates per vendor instructions.
Remediation due: 2022-07-28
References
- http://advisories.mageia.org/MGASA-2014-0388.html
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
- http://jvn.jp/en/jp/JVN55667175/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
- http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
- http://linux.oracle.com/errata/ELSA-2014-1293.html
- http://linux.oracle.com/errata/ELSA-2014-1294.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
- http://marc.info/?l=bugtraq&m=141216207813411&w=2
- http://marc.info/?l=bugtraq&m=141216668515282&w=2
- http://marc.info/?l=bugtraq&m=141235957116749&w=2
- http://marc.info/?l=bugtraq&m=141319209015420&w=2
- http://marc.info/?l=bugtraq&m=141330425327438&w=2
- http://marc.info/?l=bugtraq&m=141330468527613&w=2
- http://marc.info/?l=bugtraq&m=141345648114150&w=2
- http://marc.info/?l=bugtraq&m=141383026420882&w=2
- http://marc.info/?l=bugtraq&m=141383081521087&w=2
- http://marc.info/?l=bugtraq&m=141383138121313&w=2
- http://marc.info/?l=bugtraq&m=141383196021590&w=2
- http://marc.info/?l=bugtraq&m=141383244821813&w=2
- http://marc.info/?l=bugtraq&m=141383304022067&w=2
- http://marc.info/?l=bugtraq&m=141383353622268&w=2
- http://marc.info/?l=bugtraq&m=141383465822787&w=2
- http://marc.info/?l=bugtraq&m=141450491804793&w=2
- http://marc.info/?l=bugtraq&m=141576728022234&w=2
- http://marc.info/?l=bugtraq&m=141577137423233&w=2
- http://marc.info/?l=bugtraq&m=141577241923505&w=2
- http://marc.info/?l=bugtraq&m=141577297623641&w=2
- http://marc.info/?l=bugtraq&m=141585637922673&w=2
- http://marc.info/?l=bugtraq&m=141694386919794&w=2
- http://marc.info/?l=bugtraq&m=141879528318582&w=2
- http://marc.info/?l=bugtraq&m=142113462216480&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142358026505815&w=2
- http://marc.info/?l=bugtraq&m=142358078406056&w=2
- http://marc.info/?l=bugtraq&m=142546741516006&w=2
- http://marc.info/?l=bugtraq&m=142719845423222&w=2
- http://marc.info/?l=bugtraq&m=142721162228379&w=2
- http://marc.info/?l=bugtraq&m=142805027510172&w=2
- http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-22.