CVE-2016-7543

CWE-20 — Improper Input Validation CWE-77 — Command Injection11 documents8 sources

Severity

8.4HIGH

EPSS

0.1%

top 75.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Bash Fedoraproject Fedora

Timeline

PublishedJan 19

Latest updateMay 14

Description

Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages2 packages

▶Debianbash< 4.4-1+3

▶NVDgnu/bash4.3

Also affects: Fedora 23, 24, 25

Patches

Patch: lists.gnu.org ↗Patch: lists.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-6xh6-xvh9-w4h5: Bash before 4↗2022-05-14

▶

OSV

bash vulnerabilities↗2017-05-17

▶

CVEList

CVE-2016-7543: Bash before 4↗2017-01-19

▶

OSV

CVE-2016-7543: Bash before 4↗2017-01-19

▶

📋Vendor Advisories

Ubuntu

Bash vulnerability↗2017-08-01

▶

Ubuntu

Bash vulnerabilities↗2017-05-17

▶

Red Hat

bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution↗2016-09-16

▶

Debian

CVE-2016-7543: bash - Bash before 4.4 allows local users to execute arbitrary commands with root privi...↗2016

▶

💬Community

Bugzilla

CVE-2016-7543 bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution↗2016-09-27

▶

Bugzilla

CVE-2016-7543 bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution [fedora-all]↗2016-09-27

▶