CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions
Description
Description
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| gnu | bash | to 4.3 (inc) |
| arista | eos | From 4.9.0 (inc) to 4.9.12 (exc) |
| oracle | linux | * |
| oracle | linux | * |
| oracle | linux | * |
| qnap | qts | to 4.1.1 (exc) |
| qnap | qts | * |
| mageia | mageia | * |
| mageia | mageia | * |
| redhat | gluster_storage_server_for_on-premise | * |
| redhat | virtualization | * |
| redhat | enterprise_linux | * |
| redhat | enterprise_linux | * |
| redhat | enterprise_linux | * |
| redhat | enterprise_linux | * |
| redhat | enterprise_linux_desktop | * |
| redhat | enterprise_linux_desktop | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_eus | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_ibm_z_systems | * |
| redhat | enterprise_linux_for_power_big_endian | * |
| redhat | enterprise_linux_for_power_big_endian | * |
| redhat | enterprise_linux_for_power_big_endian | * |
| redhat | enterprise_linux_for_power_big_endian | * |
| redhat | enterprise_linux_for_power_big_endian | * |
| redhat | enterprise_linux_for_power_big_endian_eus | * |
| redhat | enterprise_linux_for_power_big_endian_eus | * |
| redhat | enterprise_linux_for_power_big_endian_eus | * |
| redhat | enterprise_linux_for_power_big_endian_eus | * |
| redhat | enterprise_linux_for_power_big_endian_eus | * |
| redhat | enterprise_linux_for_power_big_endian_eus | * |
| redhat | enterprise_linux_for_scientific_computing | * |
| redhat | enterprise_linux_server | * |
| redhat | enterprise_linux_server | * |
| redhat | enterprise_linux_server | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_aus | * |
| redhat | enterprise_linux_server_from_rhui | * |
| redhat | enterprise_linux_server_from_rhui | * |
| redhat | enterprise_linux_server_tus | * |
| redhat | enterprise_linux_server_tus | * |
| redhat | enterprise_linux_server_tus | * |
| redhat | enterprise_linux_server_tus | * |
| redhat | enterprise_linux_workstation | * |
| redhat | enterprise_linux_workstation | * |
| suse | studio_onsite | * |
| opensuse | opensuse | * |
| opensuse | opensuse | * |
| opensuse | opensuse | * |
| suse | linux_enterprise_desktop | * |
| suse | linux_enterprise_desktop | * |
| suse | linux_enterprise_server | * |
| suse | linux_enterprise_server | * |
| suse | linux_enterprise_server | * |
| suse | linux_enterprise_software_development_kit | * |
| suse | linux_enterprise_software_development_kit | * |
| debian | debian_linux | * |
| ibm | infosphere_guardium_database_activity_monitoring | * |
| ibm | infosphere_guardium_database_activity_monitoring | * |
| ibm | infosphere_guardium_database_activity_monitoring | * |
| ibm | pureapplication_system | From 1.0.0.0 (inc) to 1.0.0.4 (inc) |
| ibm | pureapplication_system | * |
| ibm | qradar_risk_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_security_information_and_event_manager | * |
| ibm | qradar_vulnerability_manager | * |
| ibm | qradar_vulnerability_manager | * |
| ibm | qradar_vulnerability_manager | * |
| ibm | qradar_vulnerability_manager | * |
| ibm | qradar_vulnerability_manager | * |
| ibm | qradar_vulnerability_manager | * |
| ibm | qradar_vulnerability_manager | * |
| ibm | smartcloud_entry_appliance | * |
| ibm | smartcloud_entry_appliance | * |
| ibm | smartcloud_entry_appliance | * |
| ibm | smartcloud_entry_appliance | * |
| ibm | smartcloud_provisioning | * |
| ibm | software_defined_network_for_virtual_environments | to 1.2.1 (exc) |
| ibm | starter_kit_for_cloud | * |
| ibm | workload_deployer | From 3.1.0 (inc) to 3.1.0.7 (inc) |
| ibm | security_access_manager_for_mobile_8.0_firmware | * |
| ibm | security_access_manager_for_mobile_8.0_firmware | * |
| ibm | security_access_manager_for_mobile_8.0_firmware | * |
| ibm | security_access_manager_for_mobile_8.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_7.0_firmware | * |
| ibm | security_access_manager_for_web_8.0_firmware | * |
| ibm | security_access_manager_for_web_8.0_firmware | * |
| ibm | security_access_manager_for_web_8.0_firmware | * |
| ibm | storwize_v7000_firmware | From 1.1.0.0 (inc) to 1.4.3.5 (exc) |
| ibm | storwize_v7000 | * |
| ibm | storwize_v5000_firmware | From 1.1.0.0 (inc) to 7.1.0.11 (exc) |
| ibm | storwize_v5000 | * |
| ibm | storwize_v3700_firmware | From 1.1.0.0 (inc) to 7.1.0.11 (exc) |
| ibm | storwize_v3700 | * |
| ibm | storwize_v3500_firmware | From 1.1.0.0 (inc) to 7.1.0.11 (exc) |
| ibm | storwize_v3500 | * |
| ibm | flex_system_v7000_firmware | From 1.1.0.0 (inc) to 7.1.0.11 (exc) |
| ibm | flex_system_v7000 | * |
| ibm | san_volume_controller_firmware | From 1.1.0.0 (inc) to 7.1.0.11 (exc) |
| ibm | san_volume_controller | * |
| ibm | stn6500_firmware | From 3.8.0.0 (inc) to 3.8.0.07 (exc) |
| ibm | stn6500 | * |
| ibm | stn6800_firmware | From 3.8.0.0 (inc) to 3.8.0.07 (exc) |
| ibm | stn6800 | * |
| ibm | stn7800_firmware | From 3.8.0.0 (inc) to 3.8.0.07 (exc) |
| ibm | stn7800 | * |
| canonical | ubuntu_linux | * |
| canonical | ubuntu_linux | * |
| canonical | ubuntu_linux | * |
| novell | zenworks_configuration_management | * |
| novell | zenworks_configuration_management | * |
| novell | zenworks_configuration_management | * |
| novell | zenworks_configuration_management | * |
| novell | zenworks_configuration_management | * |
| novell | open_enterprise_server | * |
| novell | open_enterprise_server | * |
| checkpoint | security_gateway | to r77.30 (exc) |
| f5 | big-ip_access_policy_manager | * |
| f5 | big-ip_advanced_firewall_manager | From 11.3.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_advanced_firewall_manager | * |
| f5 | big-ip_analytics | From 11.1.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_analytics | * |
| f5 | big-ip_application_acceleration_manager | From 11.4.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_application_acceleration_manager | * |
| f5 | big-ip_application_security_manager | From 11.1.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_application_security_manager | * |
| f5 | big-ip_edge_gateway | From 11.1.0 (inc) to 11.3.0 (exc) |
| f5 | big-ip_global_traffic_manager | From 11.1.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_global_traffic_manager | * |
| f5 | big-ip_link_controller | From 11.1.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_link_controller | * |
| f5 | big-ip_local_traffic_manager | From 11.1.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_local_traffic_manager | * |
| f5 | big-ip_policy_enforcement_manager | From 11.3.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_policy_enforcement_manager | * |
| f5 | big-ip_wan_optimization_manager | From 11.1.0 (inc) to 11.3.0 (exc) |
| f5 | big-ip_webaccelerator | From 11.1.0 (inc) to 11.3.0 (exc) |
| f5 | big-iq_cloud | From 4.0.0 (inc) to 4.5.0 (exc) |
| f5 | big-iq_device | From 4.2.0 (inc) to 4.5.0 (exc) |
| f5 | big-iq_security | From 4.0.0 (inc) to 4.5.0 (exc) |
| f5 | enterprise_manager | From 2.1.0 (inc) to 2.3.0 (inc) |
| f5 | traffix_signaling_delivery_controller | From 4.0.0 (inc) to 4.0.5 (inc) |
| f5 | traffix_signaling_delivery_controller | * |
| f5 | traffix_signaling_delivery_controller | * |
| f5 | traffix_signaling_delivery_controller | * |
| f5 | traffix_signaling_delivery_controller | * |
| f5 | arx_firmware | From 6.0.0 (inc) to 6.4.0 (inc) |
| f5 | arx | * |
| citrix | netscaler_sdx_firmware | to 9.3.67.5r1 (exc) |
| citrix | netscaler_sdx | * |
| vmware | vcenter_server_appliance | * |
| vmware | vcenter_server_appliance | * |
| vmware | vcenter_server_appliance | * |
| vmware | esx | * |
| vmware | esx | * |
| f5 | big-ip_access_policy_manager | From 11.1.0 (inc) to 11.5.1 (exc) |
| f5 | big-ip_protocol_security_module | From 11.1.0 (inc) to 11.4.1 (exc) |
| apple | mac_os_x | From 10.6.0 (inc) to 10.6.8 (inc) |
| redhat | enterprise_linux_desktop | * |
| redhat | enterprise_linux_workstation | * |
| redhat | enterprise_linux_for_scientific_computing | * |
| redhat | enterprise_linux_server_from_rhui | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
How can this vulnerability impact me?
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
Meta Information
CVE Publication Date:
2014-09-24
CVE Last Modified Date:
2025-03-13
Report Generation Date:
2025-08-14
AI Powered Q&A Generation:
2024-11-28
EPSS Last Evaluated Date:
2025-07-02
NVD Report Link: