github - ghsa-jcxc-5f87-vq5m

ghsa-jcxc-5f87-vq5m

Vulnerability from github

Published

2022-05-24 17:02

Modified

2022-05-24 17:02

Severity

7.8 (High) - CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-18276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-273"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-28T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
  "id": "GHSA-jcxc-5f87-vq5m",
  "modified": "2022-05-24T17:02:24Z",
  "published": "2022-05-24T17:02:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202105-34"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200430-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=-wGtxJ8opa8"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2019-18276

Vulnerability from cvelistv5

Published

2019-11-28 00:27

Modified

2024-08-05 01:47

Severity

Summary

References

URL	Tags
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E	mailing-list, x_refsource_MLIST
https://security.gentoo.org/glsa/202105-34	vendor-advisory, x_refsource_GENTOO
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://www.youtube.com/watch?v=-wGtxJ8opa8	x_refsource_MISC
https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff	x_refsource_CONFIRM
http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20200430-0003/	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website