Vulnerability identifier: #VU5294

Vulnerability risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2014-7169

CWE-ID: CWE-77

Exploitation vector: Network

Exploits in database: 17

• April 7, 2020
  • exploit-CVE-2014-6271 (Shellshock exploit + vulnerable environment) [Github]
• March 18, 2020
  • CUPS Filter - Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
  • GNU Bash - Environment Variable Command Injection (Shellshock) [Exploit-DB]
  • Bash - Environment Variables Code Injection (Shellshock) [Exploit-DB]
  • GNU Bash - Environment Variable Command Injection (Metasploit) [Exploit-DB]
  • GNU bash 4.3.11 - Environment Variable dhclient Exploit [Exploit-DB]
  • Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
  • OpenVPN 2.2.29 - Remote Exploit (Shellshock) [Exploit-DB]
  • Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock) [Exploit-DB]
  • puppet-shellshock (This module determine the vulnerability of a bash binary to the shellshock exploits (CVE-2014-6271 or CVE-2014-7169) and then patch that where possible) [Github]
  • QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
  • QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
  • dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock) [Exploit-DB]
  • IPFire - Cgi Web Interface Authenticated Bash Environment Variable Code Injection [Exploit-DB]
  • Bash CGI - Remote Code Execution (Shellshock) (Metasploit) [Exploit-DB]
  • PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) [Exploit-DB]
  • Kemp Load Master 7.1.16 - Multiple Vulnerabilities [Exploit-DB]

Impact: Code execution

Vulnerable software:
Bash
Universal components / Libraries / Scripting languages

Vendor: GNU