CVE-2019-18276

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-18276
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18276.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-18276
Downstream
Related
Published
2019-11-28T01:15:10.603Z
Modified
2025-11-20T10:59:23.842618Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in disableprivmode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

References

Affected packages

Git / github.com/bminor/bash

Affected ranges

Type
GIT
Repo
https://github.com/bminor/bash
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
951bdaad7a18cc0dc1036bba86b18b90874d39ff

Affected versions

bash-3.*

bash-3.0-beta
bash-3.0-rc1
bash-3.1-alpha
bash-3.1-beta
bash-3.1-rc1
bash-3.1-rc2
bash-3.2-alpha
bash-3.2-beta

bash-4.*

bash-4.0-alpha

Other

devel-base-dist

Database specific

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "171690819415520536111129854892343864653",
                "284499996432413692756474994610991684025",
                "327296867245747385858351977805770502484",
                "228392072341256904787616075179406301131",
                "161559462870876632438233334164418974333",
                "16151667601559328032257506130070589982",
                "16578364369589215155362787608262471881",
                "154597318004421062609955763414029664052",
                "135804257676935330942851427553124421914",
                "229863958922985025555779930754584817949",
                "218987133591457228758102552925379324806",
                "170455372701299672917040745205022373037",
                "240954128917558656339880415133686688717"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "pathexp.c"
        },
        "deprecated": false,
        "source": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
        "signature_type": "Line",
        "id": "CVE-2019-18276-19df07cd"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "119257654511765682365513525462911841618",
                "101957037125885023689409735848251837487",
                "53940925497102736680074056643435023589",
                "62311107696999691549738912746244141703",
                "81618666761211882501023322025145373832",
                "94616946914172098790929176874462117203",
                "213557715999788305298205714305681263862",
                "281002954427988563836942395523520462137"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "lib/glob/glob.c"
        },
        "deprecated": false,
        "source": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
        "signature_type": "Line",
        "id": "CVE-2019-18276-481c7aa9"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "13306285361662628135691558499181836318",
                "31750798099679216784601004640215120197",
                "408242495212161291694865593298020624",
                "162076011559262575709043481925530269089",
                "173283710898503152511624685194615410170",
                "89503797696653328162346624289361280691",
                "298317753040297469701369189028917273583",
                "336963409637945355083420165521178479425",
                "27680839219941781818091253038840532247"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "shell.c"
        },
        "deprecated": false,
        "source": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
        "signature_type": "Line",
        "id": "CVE-2019-18276-54c4eaf8"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "21078060596478951710294908296939923091",
                "299737018015490443472333088996980885966",
                "313713166511269563981125044197694613595",
                "279789378335467200686217223583454719635",
                "226550281909473475950951119966642179273",
                "71558678713459412899383215267257269671",
                "250600264524772183350940044094544752526",
                "99215808039966999958603310126478885847",
                "44968734196972112246988906679297226410",
                "106170260578387101773435241000491712310",
                "276628974888017512989181688480372782176",
                "304335090582101203836135856925624757969",
                "203475986062825137819617135926936407809",
                "167554991111662084999257448582607137101",
                "92499567396106855263240701157315131799",
                "337977731218514274719771756677268897948",
                "67745266338998692370645411585535634323",
                "228392072341256904787616075179406301131",
                "161559462870876632438233334164418974333",
                "16151667601559328032257506130070589982",
                "16578364369589215155362787608262471881",
                "154597318004421062609955763414029664052",
                "135804257676935330942851427553124421914",
                "268971777071972236703970407474890587448",
                "80895224327674472804546891690447078068",
                "59002100992814033468494015970344466780",
                "101233450369770257372554483377389297360",
                "78672650738935826378609634370826464665",
                "226230947418480204337968069098214373627",
                "130783709918854554277908556065324539867",
                "333455781688227280330716609966986170447",
                "10200376478540012991230658521426963997",
                "124536738051565851421683610622466362703",
                "192777561608891181033420325037169771099",
                "57810565190112925532629854428676741063",
                "108071541843493795002075005708338939563",
                "81287633684841990215703534411089657369",
                "288770928338850299178483833137339297998",
                "59510819136454134152691429671446831048",
                "146923290332933934435725945202148767961",
                "112512808721537165444448145664811752827",
                "263672907258369562416591245759073457330"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "bashline.c"
        },
        "deprecated": false,
        "source": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
        "signature_type": "Line",
        "id": "CVE-2019-18276-5f5f7de3"
    },
    {
        "digest": {
            "function_hash": "226211336848168772694267672346077219885",
            "length": 534.0
        },
        "signature_version": "v1",
        "target": {
            "function": "disable_priv_mode",
            "file": "shell.c"
        },
        "deprecated": false,
        "source": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff",
        "signature_type": "Function",
        "id": "CVE-2019-18276-807f9146"
    }
]