CVE-2019-18276

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

CVSS v2.0 7.2

7.2^/10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

CVSS v3.0 7.8 HIGH

7.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.youtube.com/watch?v=-wGtxJ8opa8	Exploit Third Party Advisory
https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff	Patch Third Party Advisory
http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html	Exploit Third Party Advisory
https://security.netapp.com/advisory/ntap-20200430-0003/	Third Party Advisory
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202105-34	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory

Configurations

Configuration 1

cpe:2.3:a:gnu:bash:*:*:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch1:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch2:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch3:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch4:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch5:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch6:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch7:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch8:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch9:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch10:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:patch11:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:beta1:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:beta2:*:*:*:*:*:*

cpe:2.3:a:gnu:bash:5.0:rc1:*:*:*:*:*:*

cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*

History

24 Jan 2023, 16:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:predictapp_project:predictapp::::::::
References	~~(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 -~~	(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/abhilash1985/PredictApp/pull/73 -~~	(MISC) https://github.com/abhilash1985/PredictApp/pull/73 - Patch, Third Party Advisory
References	~~(MISC) https://vuldb.com/?id.218387 -~~	(MISC) https://vuldb.com/?id.218387 - Third Party Advisory
References	~~(MISC) https://vuldb.com/?ctiid.218387 -~~	(MISC) https://vuldb.com/?ctiid.218387 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Predictapp Project predictapp Predictapp Project

16 Jan 2023, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2019-11-28 01:15

Updated : 2022-06-07 06:41

NVD link : CVE-2019-18276

Mitre link : CVE-2019-18276

Products Affected

No products.

CWE

CWE-273

Improper Check for Dropped Privileges