CVE-2014-6278 | THREATINT

Description

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

PUBLISHED Reserved 2014-09-09 | Published 2014-09-30 | Updated 2025-12-30 | Assigner debian

CISA Known Exploited Vulnerability

Date added 2025-10-02 | Due date 2025-10-23

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

www-01.ibm.com/support/docview.wss?uid=ssg1S1004897

www-01.ibm.com/support/docview.wss?uid=swg21685749

marc.info/?l=bugtraq&m=141577137423233&w=2 (HPSBMU03165) vendor-advisory

supportcenter.checkpoint.com/...=sk102673&src=securityAlerts

linux.oracle.com/errata/ELSA-2014-3093

marc.info/?l=bugtraq&m=142721162228379&w=2 (SSRT101819) vendor-advisory

marc.info/?l=bugtraq&m=142358026505815&w=2 (HPSBMU03245) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21686479

jvn.jp/en/jp/JVN55667175/index.html (JVN#55667175) third-party-advisory

secunia.com/advisories/60433 (60433) third-party-advisory

marc.info/?l=bugtraq&m=141383026420882&w=2 (HPSBMU03143) vendor-advisory

marc.info/?l=bugtraq&m=141585637922673&w=2 (HPSBMU03182) vendor-advisory

packetstormsecurity.com/...le-Global-Desktop-Shellshock.html

marc.info/?l=bugtraq&m=141576728022234&w=2 (HPSBST03155) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21685541

www.oracle.com/...cs/security/bashcve-2014-7169-2317675.html

secunia.com/advisories/61816 (61816) third-party-advisory

lists.opensuse.org/opensuse-updates/2014-10/msg00025.html (openSUSE-SU-2014:1310) vendor-advisory

secunia.com/advisories/61442 (61442) third-party-advisory

marc.info/?l=bugtraq&m=142358078406056&w=2 (HPSBMU03246) vendor-advisory

secunia.com/advisories/61283 (61283) third-party-advisory

kc.mcafee.com/corporate/index?page=content&id=SB10085

secunia.com/advisories/61654 (61654) third-party-advisory

www.ubuntu.com/usn/USN-2380-1 (USN-2380-1) vendor-advisory

www-947.ibm.com/...ry/portal/docdisplay?lndocid=MIGR-5096315

secunia.com/advisories/62312 (62312) third-party-advisory

support.f5.com/...s/solutions/public/15000/600/sol15629.html

marc.info/?l=bugtraq&m=141879528318582&w=2 (HPSBMU03217) vendor-advisory

security-tracker.debian.org/tracker/CVE-2014-6278

www-01.ibm.com/support/docview.wss?uid=swg21685604

marc.info/?l=bugtraq&m=142118135300698&w=2 (SSRT101868) vendor-advisory

secunia.com/advisories/61703 (61703) third-party-advisory

secunia.com/advisories/61065 (61065) third-party-advisory

marc.info/?l=bugtraq&m=141383196021590&w=2 (HPSBST03129) vendor-advisory

marc.info/?l=bugtraq&m=141383081521087&w=2 (HPSBMU03144) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21686445

www-01.ibm.com/support/docview.wss?uid=swg21686131

jvndb.jvn.jp/jvndb/JVNDB-2014-000126 (JVNDB-2014-000126) third-party-advisory

marc.info/?l=bugtraq&m=141879528318582&w=2 (SSRT101827) vendor-advisory

secunia.com/advisories/61641 (61641) third-party-advisory

www.exploit-db.com/exploits/39887/ (39887) exploit

kb.juniper.net/InfoCenter/index?page=content&id=JSA10648

lists.opensuse.org/...ecurity-announce/2014-10/msg00004.html (SUSE-SU-2014:1287) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=ssg1S1004898

www-01.ibm.com/support/docview.wss?uid=swg21685914

www.mandriva.com/security/advisories?name=MDVSA-2015:164 (MDVSA-2015:164) vendor-advisory

support.hpe.com/...ay?docLocale=en_US&docId=emr_na-c04497075

marc.info/?l=bugtraq&m=142721162228379&w=2 (HPSBMU03220) vendor-advisory

secunia.com/advisories/60325 (60325) third-party-advisory

secunia.com/advisories/60024 (60024) third-party-advisory

packetstormsecurity.com/...nologies-GNU-Bash-Shellshock.html

lcamtuf.blogspot.com/...bash-bug-how-we-finally-cracked.html

tools.cisco.com/...coSecurityAdvisory/cisco-sa-20140926-bash (20140926 GNU Bash Environment Variable Command Injection Vulnerability) vendor-advisory

bugzilla.redhat.com/show_bug.cgi?id=1147414

secunia.com/advisories/62343 (62343) third-party-advisory

secunia.com/advisories/61565 (61565) third-party-advisory

www.suse.com/support/shellshock/

marc.info/?l=bugtraq&m=141450491804793&w=2 (HPSBST03157) vendor-advisory

secunia.com/advisories/61313 (61313) third-party-advisory

marc.info/?l=bugtraq&m=142358026505815&w=2 (SSRT101742) vendor-advisory

secunia.com/advisories/61485 (61485) third-party-advisory

support.hpe.com/...ay?docLocale=en_US&docId=emr_na-c04518183

marc.info/?l=bugtraq&m=141577297623641&w=2 (HPSBST03154) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=isg3T1021272

marc.info/?l=bugtraq&m=141383244821813&w=2 (HPSBGN03142) vendor-advisory

secunia.com/advisories/61312 (61312) third-party-advisory

linux.oracle.com/errata/ELSA-2014-3094

secunia.com/advisories/60193 (60193) third-party-advisory

www.vmware.com/security/advisories/VMSA-2014-0010.html

secunia.com/advisories/60063 (60063) third-party-advisory

secunia.com/advisories/60034 (60034) third-party-advisory

secunia.com/advisories/59907 (59907) third-party-advisory

secunia.com/advisories/58200 (58200) third-party-advisory

marc.info/?l=bugtraq&m=141577241923505&w=2 (HPSBST03181) vendor-advisory

secunia.com/advisories/61643 (61643) third-party-advisory

www.novell.com/support/kb/doc.php?id=7015721

www-01.ibm.com/support/docview.wss?uid=swg21687079

secunia.com/advisories/61503 (61503) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=swg21686246

www-01.ibm.com/support/docview.wss?uid=ssg1S1004915

support.novell.com/security/cve/CVE-2014-6278.html

marc.info/?l=bugtraq&m=141383465822787&w=2 (HPSBHF03145) vendor-advisory

www.qnap.com/i/en/support/con_show.php?cid=61

secunia.com/advisories/61552 (61552) third-party-advisory

secunia.com/advisories/61780 (61780) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=isg3T1021279

support.citrix.com/article/CTX200223

www.exploit-db.com/exploits/39568/ (39568) exploit

marc.info/?l=bugtraq&m=141330468527613&w=2 (HPSBGN03138) vendor-advisory

secunia.com/advisories/60044 (60044) third-party-advisory

secunia.com/advisories/61291 (61291) third-party-advisory

marc.info/?l=bugtraq&m=141345648114150&w=2 (HPSBHF03125) vendor-advisory

secunia.com/advisories/61287 (61287) third-party-advisory

marc.info/?l=bugtraq&m=141383353622268&w=2 (HPSBHF03146) vendor-advisory

marc.info/?l=bugtraq&m=142118135300698&w=2 (HPSBGN03233) vendor-advisory

marc.info/?l=bugtraq&m=142118135300698&w=2 (SSRT101739) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=isg3T1021361

marc.info/?l=bugtraq&m=141383304022067&w=2 (HPSBGN03141) vendor-advisory

secunia.com/advisories/61128 (61128) third-party-advisory

support.citrix.com/article/CTX200217

secunia.com/advisories/61471 (61471) third-party-advisory

secunia.com/advisories/60055 (60055) third-party-advisory

secunia.com/advisories/59961 (59961) third-party-advisory

secunia.com/advisories/61550 (61550) third-party-advisory

secunia.com/advisories/61633 (61633) third-party-advisory

lcamtuf.blogspot.com/...-bug-apply-unofficial-patch-now.html

www-01.ibm.com/support/docview.wss?uid=swg21686494

kb.bluecoat.com/index?page=content&id=SA82

secunia.com/advisories/61328 (61328) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=swg21685733

secunia.com/advisories/61129 (61129) third-party-advisory

secunia.com/advisories/61603 (61603) third-party-advisory

secunia.com/advisories/61857 (61857) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=ssg1S1004879

www.arista.com/...ity-advisories/1008-security-advisory-0006

www.cisa.gov/...nerabilities-catalog?field_cve=CVE-2014-6278 government-resource

www-01.ibm.com/support/docview.wss?uid=ssg1S1004897

www-01.ibm.com/support/docview.wss?uid=swg21685749

marc.info/?l=bugtraq&m=141577137423233&w=2 (HPSBMU03165) vendor-advisory

supportcenter.checkpoint.com/...=sk102673&src=securityAlerts

linux.oracle.com/errata/ELSA-2014-3093

marc.info/?l=bugtraq&m=142721162228379&w=2 (SSRT101819) vendor-advisory

marc.info/?l=bugtraq&m=142358026505815&w=2 (HPSBMU03245) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21686479

jvn.jp/en/jp/JVN55667175/index.html (JVN#55667175) third-party-advisory

secunia.com/advisories/60433 (60433) third-party-advisory

marc.info/?l=bugtraq&m=141383026420882&w=2 (HPSBMU03143) vendor-advisory

marc.info/?l=bugtraq&m=141585637922673&w=2 (HPSBMU03182) vendor-advisory

packetstormsecurity.com/...le-Global-Desktop-Shellshock.html

marc.info/?l=bugtraq&m=141576728022234&w=2 (HPSBST03155) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21685541

www.oracle.com/...cs/security/bashcve-2014-7169-2317675.html

secunia.com/advisories/61816 (61816) third-party-advisory

lists.opensuse.org/opensuse-updates/2014-10/msg00025.html (openSUSE-SU-2014:1310) vendor-advisory

secunia.com/advisories/61442 (61442) third-party-advisory

marc.info/?l=bugtraq&m=142358078406056&w=2 (HPSBMU03246) vendor-advisory

secunia.com/advisories/61283 (61283) third-party-advisory

kc.mcafee.com/corporate/index?page=content&id=SB10085

secunia.com/advisories/61654 (61654) third-party-advisory

www.ubuntu.com/usn/USN-2380-1 (USN-2380-1) vendor-advisory

www-947.ibm.com/...ry/portal/docdisplay?lndocid=MIGR-5096315

secunia.com/advisories/62312 (62312) third-party-advisory

support.f5.com/...s/solutions/public/15000/600/sol15629.html

marc.info/?l=bugtraq&m=141879528318582&w=2 (HPSBMU03217) vendor-advisory

security-tracker.debian.org/tracker/CVE-2014-6278

www-01.ibm.com/support/docview.wss?uid=swg21685604

marc.info/?l=bugtraq&m=142118135300698&w=2 (SSRT101868) vendor-advisory

secunia.com/advisories/61703 (61703) third-party-advisory

secunia.com/advisories/61065 (61065) third-party-advisory

marc.info/?l=bugtraq&m=141383196021590&w=2 (HPSBST03129) vendor-advisory

marc.info/?l=bugtraq&m=141383081521087&w=2 (HPSBMU03144) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=swg21686445

www-01.ibm.com/support/docview.wss?uid=swg21686131

jvndb.jvn.jp/jvndb/JVNDB-2014-000126 (JVNDB-2014-000126) third-party-advisory

marc.info/?l=bugtraq&m=141879528318582&w=2 (SSRT101827) vendor-advisory

secunia.com/advisories/61641 (61641) third-party-advisory

www.exploit-db.com/exploits/39887/ (39887) exploit

kb.juniper.net/InfoCenter/index?page=content&id=JSA10648

lists.opensuse.org/...ecurity-announce/2014-10/msg00004.html (SUSE-SU-2014:1287) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=ssg1S1004898

www-01.ibm.com/support/docview.wss?uid=swg21685914

www.mandriva.com/security/advisories?name=MDVSA-2015:164 (MDVSA-2015:164) vendor-advisory

support.hpe.com/...ay?docLocale=en_US&docId=emr_na-c04497075

marc.info/?l=bugtraq&m=142721162228379&w=2 (HPSBMU03220) vendor-advisory

secunia.com/advisories/60325 (60325) third-party-advisory

secunia.com/advisories/60024 (60024) third-party-advisory

packetstormsecurity.com/...nologies-GNU-Bash-Shellshock.html

lcamtuf.blogspot.com/...bash-bug-how-we-finally-cracked.html

tools.cisco.com/...coSecurityAdvisory/cisco-sa-20140926-bash (20140926 GNU Bash Environment Variable Command Injection Vulnerability) vendor-advisory

bugzilla.redhat.com/show_bug.cgi?id=1147414

secunia.com/advisories/62343 (62343) third-party-advisory

secunia.com/advisories/61565 (61565) third-party-advisory

www.suse.com/support/shellshock/

marc.info/?l=bugtraq&m=141450491804793&w=2 (HPSBST03157) vendor-advisory

secunia.com/advisories/61313 (61313) third-party-advisory

marc.info/?l=bugtraq&m=142358026505815&w=2 (SSRT101742) vendor-advisory

secunia.com/advisories/61485 (61485) third-party-advisory

support.hpe.com/...ay?docLocale=en_US&docId=emr_na-c04518183

marc.info/?l=bugtraq&m=141577297623641&w=2 (HPSBST03154) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=isg3T1021272

marc.info/?l=bugtraq&m=141383244821813&w=2 (HPSBGN03142) vendor-advisory

secunia.com/advisories/61312 (61312) third-party-advisory

linux.oracle.com/errata/ELSA-2014-3094

secunia.com/advisories/60193 (60193) third-party-advisory

www.vmware.com/security/advisories/VMSA-2014-0010.html

secunia.com/advisories/60063 (60063) third-party-advisory

secunia.com/advisories/60034 (60034) third-party-advisory

secunia.com/advisories/59907 (59907) third-party-advisory

secunia.com/advisories/58200 (58200) third-party-advisory

marc.info/?l=bugtraq&m=141577241923505&w=2 (HPSBST03181) vendor-advisory

secunia.com/advisories/61643 (61643) third-party-advisory

www.novell.com/support/kb/doc.php?id=7015721

www-01.ibm.com/support/docview.wss?uid=swg21687079

secunia.com/advisories/61503 (61503) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=swg21686246

www-01.ibm.com/support/docview.wss?uid=ssg1S1004915

support.novell.com/security/cve/CVE-2014-6278.html

marc.info/?l=bugtraq&m=141383465822787&w=2 (HPSBHF03145) vendor-advisory

www.qnap.com/i/en/support/con_show.php?cid=61

secunia.com/advisories/61552 (61552) third-party-advisory

secunia.com/advisories/61780 (61780) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=isg3T1021279

support.citrix.com/article/CTX200223

www.exploit-db.com/exploits/39568/ (39568) exploit

marc.info/?l=bugtraq&m=141330468527613&w=2 (HPSBGN03138) vendor-advisory

secunia.com/advisories/60044 (60044) third-party-advisory

secunia.com/advisories/61291 (61291) third-party-advisory

marc.info/?l=bugtraq&m=141345648114150&w=2 (HPSBHF03125) vendor-advisory

secunia.com/advisories/61287 (61287) third-party-advisory

marc.info/?l=bugtraq&m=141383353622268&w=2 (HPSBHF03146) vendor-advisory

marc.info/?l=bugtraq&m=142118135300698&w=2 (HPSBGN03233) vendor-advisory

marc.info/?l=bugtraq&m=142118135300698&w=2 (SSRT101739) vendor-advisory

www-01.ibm.com/support/docview.wss?uid=isg3T1021361

marc.info/?l=bugtraq&m=141383304022067&w=2 (HPSBGN03141) vendor-advisory

secunia.com/advisories/61128 (61128) third-party-advisory

support.citrix.com/article/CTX200217

secunia.com/advisories/61471 (61471) third-party-advisory

secunia.com/advisories/60055 (60055) third-party-advisory

secunia.com/advisories/59961 (59961) third-party-advisory

secunia.com/advisories/61550 (61550) third-party-advisory

secunia.com/advisories/61633 (61633) third-party-advisory

lcamtuf.blogspot.com/...-bug-apply-unofficial-patch-now.html

www-01.ibm.com/support/docview.wss?uid=swg21686494

kb.bluecoat.com/index?page=content&id=SA82

secunia.com/advisories/61328 (61328) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=swg21685733

secunia.com/advisories/61129 (61129) third-party-advisory

secunia.com/advisories/61603 (61603) third-party-advisory

secunia.com/advisories/61857 (61857) third-party-advisory

www-01.ibm.com/support/docview.wss?uid=ssg1S1004879

www.arista.com/...ity-advisories/1008-security-advisory-0006

cve.org (CVE-2014-6278)

nvd.nist.gov (CVE-2014-6278)

Download JSON

help @ threatint.eu