Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-18276

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Published

2019-11-28T01:15:10.603

Last Modified

2025-06-09T16:15:29.960

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Primary
CWE-273
Type: Secondary
CWE-273

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gnu	bash	≤ 5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	gnu	bash	5.0	Yes
Application	netapp	hci_management_node	-	Yes
Application	netapp	oncommand_unified_manager	≥ 9.5	Yes
Application	netapp	solidfire	-	Yes
Application	oracle	communications_cloud_native_core_policy	1.14.0	Yes

References

http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html Exploit, Third Party Advisory, VDB Entry ([email protected])
https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff Patch, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E ([email protected])
https://security.gentoo.org/glsa/202105-34 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20200430-0003/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.youtube.com/watch?v=-wGtxJ8opa8 Exploit, Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202105-34 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20200430-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.youtube.com/watch?v=-wGtxJ8opa8 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)