Alpine: multiple bash packages: security update to 4.3.026-r1 (deprecated)

critical Tenable Cloud Security Plugin ID 401162

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in
the values of environment variables, which allows remote attackers to write to files or possibly have
unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand
feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by
unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege
boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2014-6271. (CVE-2014-7169)

See Also

https://git.alpinelinux.org/aports/commit/?id=411f8fddc5516aaf4436db42bde25f616dc13149

https://git.alpinelinux.org/aports/commit/?id=f227eb4c61ab1cceaa050a03a19480131dd9cde9

Plugin Details

Severity: Critical

ID: 401162

Version: Revision 1.35

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 8.9

Percentile: 99.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2014-7169

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/30/2014

Vulnerability Publication Date: 9/24/2014

CISA Known Exploited Vulnerability Due Dates: 7/28/2022

Reference Information

CVE: CVE-2014-7169

BID: 70137

IAVA: 2014-A-0142