CVE-2019-9924

Public on 2019-03-22

Modified on 2020-10-22

Description

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Severity

Medium

See what this means

CVSS v3 Base Score

7.8

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	bash	2020-06-23 05:55	ALAS-2020-1379
Amazon Linux 2 - Core	bash	2020-10-22 17:21	ALAS2-2020-1503

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv2	7.2	AV:L/AC:L/Au:N/C:C/I:C/A:C
NVD	CVSSv3	7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2019-9924 Mitre: CVE-2019-9924 FAQs regarding Amazon Linux ALAS/CVE Severity