CVE-2019-9924
HIGHBash < 4.4 - Missing Authorization via BASH_CMDS Manipulation
Title source: llmDescription
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
References (7)
Core 7
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441
Vendor Advisory x_refsource_misc
http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190411-0001/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4058-1/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4058-2/
Scores
CVSS v3
7.8
EPSS
0.0031
EPSS Percentile
54.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (9)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
debian/debian_linux
8.0
gnu/bash
4.4 beta1
gnu/bash
< 4.4
netapp/hci_management_node
netapp/solidfire
opensuse/leap
42.3
Published
Mar 22, 2019
Tracked Since
Feb 18, 2026