CVE-2014-7169
CRITICALCISA KEVEPSS 100th pctlDescription
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vulnerability in CVE-2014-6271.
Apply updates per vendor instructions.
Remediation due: 2022-07-28
References
- http://advisories.mageia.org/MGASA-2014-0393.html
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
- http://jvn.jp/en/jp/JVN55667175/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
- http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
- http://linux.oracle.com/errata/ELSA-2014-1306.html
- http://linux.oracle.com/errata/ELSA-2014-3075.html
- http://linux.oracle.com/errata/ELSA-2014-3077.html
- http://linux.oracle.com/errata/ELSA-2014-3078.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
- http://marc.info/?l=bugtraq&m=141216207813411&w=2
- http://marc.info/?l=bugtraq&m=141216668515282&w=2
- http://marc.info/?l=bugtraq&m=141235957116749&w=2
- http://marc.info/?l=bugtraq&m=141319209015420&w=2
- http://marc.info/?l=bugtraq&m=141330425327438&w=2
- http://marc.info/?l=bugtraq&m=141330468527613&w=2
- http://marc.info/?l=bugtraq&m=141345648114150&w=2
- http://marc.info/?l=bugtraq&m=141383026420882&w=2
- http://marc.info/?l=bugtraq&m=141383081521087&w=2
- http://marc.info/?l=bugtraq&m=141383138121313&w=2
- http://marc.info/?l=bugtraq&m=141383196021590&w=2
- http://marc.info/?l=bugtraq&m=141383244821813&w=2
- http://marc.info/?l=bugtraq&m=141383304022067&w=2
- http://marc.info/?l=bugtraq&m=141383353622268&w=2
- http://marc.info/?l=bugtraq&m=141383465822787&w=2
- http://marc.info/?l=bugtraq&m=141450491804793&w=2
- http://marc.info/?l=bugtraq&m=141576728022234&w=2
- http://marc.info/?l=bugtraq&m=141577137423233&w=2
- http://marc.info/?l=bugtraq&m=141577241923505&w=2
- http://marc.info/?l=bugtraq&m=141577297623641&w=2
- http://marc.info/?l=bugtraq&m=141585637922673&w=2
- http://marc.info/?l=bugtraq&m=141694386919794&w=2
- http://marc.info/?l=bugtraq&m=141879528318582&w=2
- http://marc.info/?l=bugtraq&m=142113462216480&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142358026505815&w=2
- http://marc.info/?l=bugtraq&m=142358078406056&w=2
- http://marc.info/?l=bugtraq&m=142721162228379&w=2
- http://marc.info/?l=bugtraq&m=142805027510172&w=2
- http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html
- http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
- http://rhn.redhat.com/errata/RHSA-2014-1306.html
- http://rhn.redhat.com/errata/RHSA-2014-1311.html
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-22.