CVE-2019-18276

Published: Nov 28, 2019Modified: Jun 9, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Affected (19)

Products: Gnu: Bash · Netapp: Hci Management Node, Oncommand Unified Manager, Solidfire · Oracle: Communications Cloud Native Core Policy

1 product

3 products

Hci Management Node

Oncommand Unified Manager

1 product

Communications Cloud Native Core Policy

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Gnu Bash	Up to 5.0
Gnu Bash	Version 5.0 beta1
Gnu Bash	Version 5.0 beta2
Gnu Bash	Version 5.0 patch10
Gnu Bash	Version 5.0 patch11
Gnu Bash	Version 5.0 patch1
Gnu Bash	Version 5.0 patch2
Gnu Bash	Version 5.0 patch3
Gnu Bash	Version 5.0 patch4
Gnu Bash	Version 5.0 patch5
Gnu Bash	Version 5.0 patch6
Gnu Bash	Version 5.0 patch7
Gnu Bash	Version 5.0 patch8
Gnu Bash	Version 5.0 patch9
Gnu Bash	Version 5.0 rc1

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Netapp Hci Management Node	All versions
Netapp Oncommand Unified Manager	From 9.5
Netapp Solidfire	All versions

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Cloud Native Core Policy	Version 1.14.0

Related CWEs

Improper Check for Dropped Privileges

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

References (14)

http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

Source: cve@mitre.org

https://security.gentoo.org/glsa/202105-34

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200430-0003/

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.youtube.com/watch?v=-wGtxJ8opa8

Source: cve@mitre.org

ExploitThird Party Advisory

http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202105-34

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200430-0003/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.youtube.com/watch?v=-wGtxJ8opa8

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.