Description
An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.
Exploits (2)
References (7)
Core 7
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202105-34
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=-wGtxJ8opa8
Patch, Third Party Advisory x_refsource_confirm
https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200430-0003/
Scores
CVSS v3
7.8
EPSS
0.5022
EPSS Percentile
97.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-273
Status
published
Products (6)
gnu/bash
5.0 beta1 (14 CPE variants)
gnu/bash
< 5.0
netapp/hci_management_node
netapp/oncommand_unified_manager
9.5
netapp/solidfire
oracle/communications_cloud_native_core_policy
1.14.0
Published
Nov 28, 2019
Tracked Since
Feb 18, 2026