ID CVE-2019-9924
Summary rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
References
Vulnerable Configurations
  • cpe:2.3:a:gnu:bash:-:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:-:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.4:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.5:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.5:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.6:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:1.14.7:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:1.14.7:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.01:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.01:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.01.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.01.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.02:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.02:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.02.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.02.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.03:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.03:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.04:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.04:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.05:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.05:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.05:a:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.05:a:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:2.05:b:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:2.05:b:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:3.0.16:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:3.0.16:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:3.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:3.2.48:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:3.2.48:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:3.2.57:beta1:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:3.2.57:beta1:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.1:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.2:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.2.53:beta1:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.2.53:beta1:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.3:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.3.30:beta1:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.3.30:beta1:*:*:*:*:*:*
  • cpe:2.3:a:gnu:bash:4.4:beta1:*:*:*:*:*:*
    cpe:2.3:a:gnu:bash:4.4:beta1:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
CVSS
Base: 7.2 (as of 05-04-2022 - 20:11)
Impact:
Exploitability:
CWE CWE-862
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:L/AC:L/Au:N/C:C/I:C/A:C
redhat via4
advisories
bugzilla
id 1691774
title CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment bash is earlier than 0:4.2.46-34.el7
          oval oval:com.redhat.rhsa:tst:20201113001
        • comment bash is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141293002
      • AND
        • comment bash-doc is earlier than 0:4.2.46-34.el7
          oval oval:com.redhat.rhsa:tst:20201113003
        • comment bash-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141293004
rhsa
id RHSA-2020:1113
released 2020-03-31
severity Moderate
title RHSA-2020:1113: bash security update (Moderate)
rpms
  • bash-0:4.2.46-34.el7
  • bash-debuginfo-0:4.2.46-34.el7
  • bash-doc-0:4.2.46-34.el7
  • bash-0:4.2.46-32.el7_6
  • bash-debuginfo-0:4.2.46-32.el7_6
  • bash-doc-0:4.2.46-32.el7_6
  • bash-0:4.2.46-34.el7_7
  • bash-debuginfo-0:4.2.46-34.el7_7
  • bash-doc-0:4.2.46-34.el7_7
  • bash-0:4.2.46-30.el7_4
  • bash-debuginfo-0:4.2.46-30.el7_4
  • bash-doc-0:4.2.46-30.el7_4
refmap via4
confirm https://security.netapp.com/advisory/ntap-20190411-0001/
misc
mlist [debian-lts-announce] 20190325 [SECURITY] [DLA 1726-1] bash security update
suse openSUSE-SU-2019:1178
ubuntu
  • USN-4058-1
  • USN-4058-2
Last major update 05-04-2022 - 20:11
Published 22-03-2019 - 08:29
Last modified 05-04-2022 - 20:11
Back to Top