CVE-2019-18276

 

Published at: - 28-11-2019 02:15

Last modified: - 07-06-2022 08:41

Total changes: - 6

Description

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://www.youtube.com/watch?v=-wGtxJ8opa8
• https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff
• http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html
• https://security.netapp.com/advisory/ntap-20200430-0003/
• [mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar-Mailing List, Third Party Advisory
• GLSA-202105-34-Third Party Advisory
• https://www.oracle.com/security-alerts/cpuapr2022.html

 

Keywords

NVD

 

CVE-2019-18276

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures