Published: 18/06/2019 Updated: 20/06/2019
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

A heap-based buffer overflow exists in GNU Bash prior to 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().

Vulnerability Trend

Affected Products

Vendor Product Versions
GnuBash4.2, 4.2.53, 4.3
RedhatEnterprise Linux7.0

Vendor Advisories

Impact: Moderate Public Date: 2019-06-18 CWE: CWE-122 Bugzilla: 1721071: CVE-2012-6711 bash: heap-based ...
Bash could be made to crash or execute arbitrary code if it received a specially crafted input ...

Github Repositories

Scan Docker Image This script purpose is to scan Docker images for vulnerabilities Get a token: microscanneraquaseccom/signup Usage: SCANNER_TOKEN=<TOKEN> SCANNER_IMAGE=jboss/keycloak:601 /docker-scansh --silent Sample output: { "scan_started": { "seconds": 1563490473, "nanos": 733846066 }, "scan_dura