CVE-2019-13638

moderate-risk
Published 2019-07-26

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

Do I need to act?

~
2.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (4)

Affected Vendors

Debian Gnu

References (30)

http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Director...
https://access.redhat.com/errata/RHSA-2019:2798
https://access.redhat.com/errata/RHSA-2019:2964
https://access.redhat.com/errata/RHSA-2019:3757
https://access.redhat.com/errata/RHSA-2019:3758
https://access.redhat.com/errata/RHSA-2019:4061
Mailing List https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5...
https://github.com/irsl/gnu-patch-vulnerabilities
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://seclists.org/bugtraq/2019/Aug/29
Mailing List https://seclists.org/bugtraq/2019/Jul/54
Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2019-13638
https://security.gentoo.org/glsa/201908-22
https://security.netapp.com/advisory/ntap-20190828-0001/
Third Party Advisory https://www.debian.org/security/2019/dsa-4489
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Director...
https://access.redhat.com/errata/RHSA-2019:2798
https://access.redhat.com/errata/RHSA-2019:2964
https://access.redhat.com/errata/RHSA-2019:3757
https://access.redhat.com/errata/RHSA-2019:3758
and 10 more references
39
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 5/34 · Minimal
Exposure 10/34 · Low