Cyber Resilience

CVE-2014-7169

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 25 September 2014

Published
25 September 2014
Modified
22 April 2026
KEV Added
28 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8906 99.5th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-7169 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ibm Qradar Security Information And Event Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

GNU Bash through version 4.3 bash43-025 contains an incomplete remediation for CVE-2014-6271 that allows it to process trailing strings after malformed function definitions supplied in environment variable values. This flaw affects any Bash instance that evaluates attacker-controlled environment data and is identified under CWE-78 as a command-injection issue with a CVSS 3.1 score of 9.8.

Remote attackers can supply a crafted environment across a privilege boundary, for example through OpenSSH ForceCommand directives, Apache mod_cgi or mod_cgid handlers, or DHCP client scripts, enabling them to write arbitrary files or achieve other unspecified impacts on the target system.

The references list vendor advisories and vulnerability notes but supply no explicit mitigation details within the given inputs.

EU & UK References

Vulnerability details

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by…

more

vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

CWE(s)
KEV Date Added
28 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gnu
bash
≤ 4.3
arista
eos
4.9.0 — 4.9.12 · 4.10.0 — 4.10.9 · 4.11.0 — 4.11.11
oracle
linux
4, 5, 6
qnap
qts
4.1.1 · ≤ 4.1.1
mageia
mageia
3.0, 4.0
redhat
gluster storage server for on-premise
2.1
redhat
virtualization
3.4
redhat
enterprise linux
4.0, 5.0, 6.0, 7.0
redhat
enterprise linux desktop
5.0, 6.0, 7.0
redhat
enterprise linux eus
5.9, 6.4, 6.5, 7.3, 7.4
+64 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that completes the fix for the bash43-025 environment-variable parsing flaw.

prevent

Mandates validation and sanitization of untrusted environment-variable values before they are supplied to Bash across a privilege boundary.

prevent

Limits the privileges of processes (sshd ForceCommand, mod_cgi, DHCP clients) that receive attacker-controlled environment data, reducing the impact of successful injection.

References