CVE-2014-6271

UnscoredEPSS 100.0%CISA KEVCWE-78 · OS Command Injection

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code.

References

NVD MITRE CVE.org CISA KEV

Community ground truth

Community verdict

2 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: Critical (Critical 2)

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Sam WhitakerCurated
Bash function-definition parsing bug. Reachable anywhere env vars cross a trust boundary into bash — CGI being the classic. Trivial, reliable, mass-exploited.
0
Remediation · Diego RamírezCurated
Patch bash (and re-check — the first fix CVE-2014-6271 was incomplete; you want the full series through CVE-2014-7187). Kill CGI scripts that shell out where you can.