CVE-2019-13638

HIGH

GNU patch <2.7.6 - Command Injection

Title source: llm
STIX 2.1

Description

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

References (15)

Core 15
Core References
Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2019-13638
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4489
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Jul/54
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Aug/29
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-22
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190828-0001/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2798
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2964
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3757
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3758
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4061

Scores

CVSS v3 7.8
EPSS 0.0205
EPSS Percentile 84.1%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (4)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
gnu/patch 2.7.6
Published Jul 26, 2019
Tracked Since Feb 18, 2026