CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2014-7169

CVSS 9.8v3.1pub. 2014-09-25upd. 2026-04-22

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Arista Eos

    OS
    Arista
    4.14.0 – 4.14.4f (bez)4.9.0 – 4.9.12 (bez)4.10.0 – 4.10.9 (bez)4.11.0 – 4.11.11 (bez)4.12.0 – 4.12.9 (bez)4.13.0 – 4.13.9 (bez)
  • Debian

    OS
    Debian
    7.0
  • Gnu Bash

    APP
    Gnu
    ≤ 4.3
  • IBM Infosphere Guardium Database Activity Monitoring

    APP
    Ibm
    8.29.09.1
  • IBM Pureapplication System

    APP
    Ibm
    2.0.0.01.0.0.0 – 1.0.0.41.1.0.0 – 1.1.0.4
  • IBM Qradar Risk Manager

    APP
    Ibm
    7.1.0
  • IBM Qradar Security Information And Event Manager

    APP
    Ibm
    7.1.07.1.17.1.27.27.2.07.2.17.2.2
  • Mageia

    OS
    Mageia
    3.04.0
  • Opensuse

    OS
    Opensuse
    12.313.113.2
  • Oracle Linux

    OS
    Oracle
    456
  • Qnap Qts

    OS
    Qnap
    4.1.1< 4.1.1
  • Red Hat Enterprise Linux

    OS
    Redhat
    4.05.06.07.0
  • Red Hat Enterprise Linux Desktop

    OS
    Redhat
    5.06.07.0
  • Red Hat Enterprise Linux Eus

    OS
    Redhat
    5.96.46.57.37.47.57.67.7
  • Red Hat Enterprise Linux For IBM Z Systems

    OS
    Redhat
    5.9_s390x6.4_s390x6.5_s390x7.3_s390x7.4_s390x7.5_s390x7.6_s390x7.7_s390x
  • Red Hat Enterprise Linux For Power Big Endian

    OS
    Redhat
    5.0_ppc5.9_ppc6.0_ppc646.4_ppc647.0_ppc64
  • Red Hat Enterprise Linux For Power Big Endian Eus

    OS
    Redhat
    6.5_ppc647.3_ppc647.4_ppc647.5_ppc647.6_ppc647.7_ppc64
  • Red Hat Enterprise Linux For Scientific Computing

    OS
    Redhat
    6.07.0
  • Red Hat Enterprise Linux Server

    OS
    Redhat
    5.06.07.0
  • Red Hat Enterprise Linux Server Aus

    OS
    Redhat
    5.65.96.26.46.57.37.47.67.7
  • Red Hat Enterprise Linux Server From Rhui

    OS
    Redhat
    5.06.07.0
  • Red Hat Enterprise Linux Server Tus

    OS
    Redhat
    6.57.37.67.7
  • Red Hat Enterprise Linux Workstation

    OS
    Redhat
    5.06.07.0
  • Red Hat Gluster Storage Server For On Premise

    APP
    Redhat
    2.1
  • Red Hat Virtualization

    APP
    Redhat
    3.4
  • SUSE Linux Enterprise Desktop

    OS
    Suse
    1112
  • SUSE Linux Enterprise Server

    OS
    Suse
    101112
  • SUSE Linux Enterprise Software Development Kit

    OS
    Suse
    1112
  • SUSE Studio Onsite

    APP
    Suse
    1.3

CISA KEV — detailsi

Vendori
GNU
Producti
Bourne-Again Shell (Bash)
Added to KEVi
January 28, 2022
Remediation deadline (US Federal)i
July 28, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vulnerability in CVE-2014-6271.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 28 lipca 2022
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki