High severity8.8CISA KEVNVD Advisory· Published Sep 30, 2014· Updated Apr 22, 2026

CVE-2014-6278

Description

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Affected products

GNU/Bash28 versions
cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:1.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:1.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:1.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:1.14.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:1.14.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:1.14.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:1.14.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.01:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.01.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.02:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.02.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.03:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.04:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.05:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.05:a:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:2.05:b:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:3.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:3.2.48:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:bash:4.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

111

lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.htmlnvdPatchThird Party Advisory
jvn.jp/en/jp/JVN55667175/index.htmlnvdThird Party Advisory
jvndb.jvn.jp/jvndb/JVNDB-2014-000126nvdThird Party Advisory
lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.htmlnvdThird Party Advisory
linux.oracle.com/errata/ELSA-2014-3093nvdThird Party Advisory
linux.oracle.com/errata/ELSA-2014-3094nvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.htmlnvdThird Party Advisory
packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.htmlnvdThird Party Advisory
secunia.com/advisories/62343nvdThird Party Advisory
support.novell.com/security/cve/CVE-2014-6278.htmlnvdThird Party Advisory
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bashnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-01.ibm.com/support/docview.wssnvdThird Party Advisory
www-947.ibm.com/support/entry/portal/docdisplaynvdThird Party Advisory
www.mandriva.com/security/advisoriesnvdThird Party Advisory
www.novell.com/support/kb/doc.phpnvdThird Party Advisory
www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.htmlnvdThird Party Advisory
www.qnap.com/i/en/support/con_show.phpnvdThird Party Advisory
www.ubuntu.com/usn/USN-2380-1nvdThird Party Advisory
www.vmware.com/security/advisories/VMSA-2014-0010.htmlnvdThird Party Advisory
bugzilla.redhat.com/show_bug.cginvdThird Party Advisory
kb.bluecoat.com/indexnvdThird Party Advisory
kb.juniper.net/InfoCenter/indexnvdThird Party Advisory
kc.mcafee.com/corporate/indexnvdThird Party Advisory
security-tracker.debian.org/tracker/CVE-2014-6278nvdThird Party Advisory
support.citrix.com/article/CTX200217nvdThird Party Advisory
support.citrix.com/article/CTX200223nvdThird Party Advisory
support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.htmlnvdThird Party Advisory
support.hpe.com/hpsc/doc/public/displaynvdThird Party Advisory
support.hpe.com/hpsc/doc/public/displaynvdThird Party Advisory
supportcenter.checkpoint.com/supportcenter/portalnvdThird Party Advisory
www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006nvdThird Party Advisory
www.exploit-db.com/exploits/39568/nvdThird Party Advisory
www.exploit-db.com/exploits/39887/nvdThird Party Advisory
www.suse.com/support/shellshock/nvdVendor Advisory
lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.htmlnvdMailing List
lists.opensuse.org/opensuse-updates/2014-10/msg00025.htmlnvdMailing List
secunia.com/advisories/58200nvdBroken Link
secunia.com/advisories/59907nvdBroken Link
secunia.com/advisories/59961nvdBroken Link
secunia.com/advisories/60024nvdBroken Link
secunia.com/advisories/60034nvdBroken Link
secunia.com/advisories/60044nvdBroken Link
secunia.com/advisories/60055nvdBroken Link
secunia.com/advisories/60063nvdBroken Link
secunia.com/advisories/60193nvdBroken Link
secunia.com/advisories/60325nvdBroken Link
secunia.com/advisories/60433nvdBroken Link
secunia.com/advisories/61065nvdBroken Link
secunia.com/advisories/61128nvdBroken Link
secunia.com/advisories/61129nvdBroken Link
secunia.com/advisories/61283nvdBroken Link
secunia.com/advisories/61287nvdBroken Link
secunia.com/advisories/61291nvdBroken Link
secunia.com/advisories/61312nvdBroken Link
secunia.com/advisories/61313nvdBroken Link
secunia.com/advisories/61328nvdBroken Link
secunia.com/advisories/61442nvdBroken Link
secunia.com/advisories/61471nvdBroken Link
secunia.com/advisories/61485nvdBroken Link
secunia.com/advisories/61503nvdBroken Link
secunia.com/advisories/61550nvdBroken Link
secunia.com/advisories/61552nvdBroken Link
secunia.com/advisories/61565nvdBroken Link
secunia.com/advisories/61603nvdBroken Link
secunia.com/advisories/61633nvdBroken Link
secunia.com/advisories/61641nvdBroken Link
secunia.com/advisories/61643nvdBroken Link
secunia.com/advisories/61654nvdBroken Link
secunia.com/advisories/61703nvdBroken Link
secunia.com/advisories/61780nvdBroken Link
secunia.com/advisories/61816nvdBroken Link
secunia.com/advisories/61857nvdBroken Link
secunia.com/advisories/62312nvdBroken Link
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.073
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.000