Alpine: multiple bash packages: security update to 4.3.018-r2 (deprecated)

critical Tenable Cloud Security Plugin ID 401075

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment
variables, which allows remote attackers to execute arbitrary code via a crafted environment, as
demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid
modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in
which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock."
NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the
vulnerability that is still present after the incorrect fix. (CVE-2014-6271)

See Also

https://git.alpinelinux.org/aports/commit/?id=07e6144b76bad51a8dfcfae1eade5b4571c534c3

https://git.alpinelinux.org/aports/commit/?id=c39d46b6980d9c28414d959834f72dcdcad81ef9

Plugin Details

Severity: Critical

ID: 401075

Version: Revision 1.33

Type: Local

Published: 8/16/2023

Updated: 5/5/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

Percentile: 99.97

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2014-6271

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/24/2014

Vulnerability Publication Date: 9/24/2014

CISA Known Exploited Vulnerability Due Dates: 7/28/2022

Exploitable With

Core Impact

Metasploit (Qmail SMTP Bash Environment Variable Injection (Shellshock))

Reference Information

CVE: CVE-2014-6271

BID: 70103

IAVA: 2014-A-0142