CVE-2019-18276

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-18276
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18276.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-18276
Related
Published
2019-11-28T01:15:10Z
Modified
2025-01-15T01:40:04.519517Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in disableprivmode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

References

Affected packages

Debian:11 / bash

Package

Name
bash
Purl
pkg:deb/debian/bash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1~rc1-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / bash

Package

Name
bash
Purl
pkg:deb/debian/bash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1~rc1-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / bash

Package

Name
bash
Purl
pkg:deb/debian/bash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1~rc1-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/bminor/bash

Affected ranges

Type
GIT
Repo
https://github.com/bminor/bash
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

bash-3.*

bash-3.0-beta
bash-3.0-rc1
bash-3.1-alpha
bash-3.1-beta
bash-3.1-rc1
bash-3.1-rc2
bash-3.2-alpha
bash-3.2-beta

bash-4.*

bash-4.0-alpha

Other

devel-base-dist