CVE-2014-6278
published 2014-09-30CVE-2014-6278: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute…
high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-23
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
Affected
48 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_netscaler_adc | — | — |
| citrix | citrix_netscaler_sdx | — | — |
| citrix | citrix_xenapp | — | — |
| citrix | citrix_xendesktop | — | — |
| citrix | citrix_xenmobile | — | — |
| citrix | citrix_xenserver | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_sdx | — | — |
| citrix | sharefile | — | — |
| citrix | xenapp | — | — |
| citrix | xendesktop | — | — |
| citrix | xenmobile | — | — |
| citrix | xenserver | — | — |
| debian | bash | < bash 4.3-9.2 (bookworm) | bash 4.3-9.2 (bookworm) |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
| gnu | bash | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv10.0CRITICAL
vulncheck8.8HIGH
cisa8.8HIGH