cbcvebase.
CVE-2019-13638
published 2019-07-26

CVE-2019-13638: GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff…

high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianpatch< patch 2.7.6-5 (bookworm)patch 2.7.6-5 (bookworm)
gnupatch<= 2.7.6
gnupatch
gnupatch>= 0 < 2.7.6-52.7.6-5
gnupatch>= 0 < 2.7.6-52.7.6-5
gnupatch>= 0 < 2.7.6-52.7.6-5
gnupatch>= 0 < 2.7.6-52.7.6-5
gnupatch>= 0 < 2.7.5-1ubuntu0.16.04.22.7.5-1ubuntu0.16.04.2
gnupatch>= 0 < 2.7.6-2ubuntu1.12.7.6-2ubuntu1.1
gnupatch>= 0 < 2.7.1-4ubuntu2.4+esm12.7.1-4ubuntu2.4+esm1
msrcazl3_patch_2.7.6-9_on_azure_linux_3.0
msrccbl2_patch_2.7.6-7_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_patch_2.7.6-7_on_cbl_mariner_1.0
msrcpatch-2.7.6-7.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcpatch-2.7.6-7.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
msrcpatch-2.7.6-7.cm2.aarch64.rpm_on_cbl_mariner_2.0_arm
msrcpatch-2.7.6-7.cm2.x86_64.rpm_on_cbl_mariner_2.0_x64
msrcpatch-2.7.6-9.azl3.aarch64.rpm_on_azure_linux_3.0_arm

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH