Описание
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
A flaw was found in GNU patch through version 2.7.6. An ed-style diff payload patch file with shell metacharacters can be used to inject OS shell commands into a system. The ed editor does not need to be present on the vulnerable system for this attack to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
Red Hat Enterprise Linux 6 is not affected by this vulnerability as the shipped version of patch did not carry the code that introduced this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | patch | Out of support scope | ||
| Red Hat Enterprise Linux 6 | patch | Not affected | ||
| Red Hat Enterprise Linux 7 | patch | Fixed | RHSA-2019:2964 | 03.10.2019 |
| Red Hat Enterprise Linux 7.4 Advanced Update Support | patch | Fixed | RHSA-2019:4061 | 03.12.2019 |
| Red Hat Enterprise Linux 7.4 Telco Extended Update Support | patch | Fixed | RHSA-2019:4061 | 03.12.2019 |
| Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions | patch | Fixed | RHSA-2019:4061 | 03.12.2019 |
| Red Hat Enterprise Linux 7.5 Extended Update Support | patch | Fixed | RHSA-2019:3757 | 06.11.2019 |
| Red Hat Enterprise Linux 7.6 Extended Update Support | patch | Fixed | RHSA-2019:3758 | 06.11.2019 |
| Red Hat Enterprise Linux 8 | patch | Fixed | RHSA-2019:2798 | 19.09.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
GNU patch through 2.7.6 is vulnerable to OS shell command injection th ...
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
EPSS
7.8 High
CVSS3