CVE-2017-5932

HIGH

GNU Bash - Improper Input Validation

Title source: rule

Description

The path autocompletion feature in Bash 4.4 allows local users to gain privileges via a crafted filename starting with a " (double quote) character and a command substitution metacharacter.

References (4)

[Patch, Third Party Advisory] http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2017/02/08/3

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96136

[Mailing List, Patch, Vendor Advisory] https://lists.gnu.org/archive/html/bug-bash/2017-01/msg00034.html

Scores

CVSS v3 7.8

EPSS 0.0021

EPSS Percentile 43.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-20

Status draft

Affected Products (1)

gnu/bash

Timeline

Published Mar 27, 2017

Tracked Since Feb 18, 2026