1. Home
  2. CVE Database
  3. CVE-2012-6711
HIGH · 7.0

CVE-2012-6711

A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in fun...

Vulnerability Description

A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().

CVSS Score

7.0

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
GnuBash>= 4.2, <= 4.3
RedhatEnterprise Linux7.0

Related Weaknesses (CWE)

CWE-119

References

FAQ

What is CVE-2012-6711?

CVE-2012-6711 is a vulnerability with a CVSS score of 7.0 (HIGH). A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in fun...

How severe is CVE-2012-6711?

CVE-2012-6711 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2012-6711?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Bash, Redhat Enterprise Linux.