{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-03T13:06:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security-tracker.debian.org/tracker/CVE-2019-13638"}, {"tags": ["x_refsource_MISC"], "url": "https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0"}, {"name": "DSA-4489", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4489"}, {"name": "20190730 [SECURITY] [DSA 4489-1] patch security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jul/54"}, {"name": "20190816 Details about recent GNU patch vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Aug/29"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html"}, {"name": "GLSA-201908-22", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201908-22"}, {"name": "FEDORA-2019-ac709da87f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190828-0001/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/irsl/gnu-patch-vulnerabilities"}, {"name": "RHSA-2019:2798", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2798"}, {"name": "RHSA-2019:2964", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2964"}, {"name": "RHSA-2019:3757", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3757"}, {"name": "RHSA-2019:3758", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3758"}, {"name": "RHSA-2019:4061", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:4061"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13638", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://security-tracker.debian.org/tracker/CVE-2019-13638", "refsource": "MISC", "url": "https://security-tracker.debian.org/tracker/CVE-2019-13638"}, {"name": "https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0", "refsource": "MISC", "url": "https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0"}, {"name": "DSA-4489", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4489"}, {"name": "20190730 [SECURITY] [DSA 4489-1] patch security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jul/54"}, {"name": "20190816 Details about recent GNU patch vulnerabilities", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/29"}, {"name": "http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html"}, {"name": "GLSA-201908-22", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201908-22"}, {"name": "FEDORA-2019-ac709da87f", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/"}, {"name": "https://security.netapp.com/advisory/ntap-20190828-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190828-0001/"}, {"name": "https://github.com/irsl/gnu-patch-vulnerabilities", "refsource": "MISC", "url": "https://github.com/irsl/gnu-patch-vulnerabilities"}, {"name": "RHSA-2019:2798", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2798"}, {"name": "RHSA-2019:2964", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2964"}, {"name": "RHSA-2019:3757", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3757"}, {"name": "RHSA-2019:3758", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3758"}, {"name": "RHSA-2019:4061", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:4061"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:57:39.539Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security-tracker.debian.org/tracker/CVE-2019-13638"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0"}, {"name": "DSA-4489", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4489"}, {"name": "20190730 [SECURITY] [DSA 4489-1] patch security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Jul/54"}, {"name": "20190816 Details about recent GNU patch vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Aug/29"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html"}, {"name": "GLSA-201908-22", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201908-22"}, {"name": "FEDORA-2019-ac709da87f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190828-0001/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/irsl/gnu-patch-vulnerabilities"}, {"name": "RHSA-2019:2798", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2798"}, {"name": "RHSA-2019:2964", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2964"}, {"name": "RHSA-2019:3757", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3757"}, {"name": "RHSA-2019:3758", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3758"}, {"name": "RHSA-2019:4061", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:4061"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13638", "datePublished": "2019-07-26T12:22:43", "dateReserved": "2019-07-17T00:00:00", "dateUpdated": "2024-08-04T23:57:39.539Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:patch:2.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "050A9139-DC81-4789-8FD9-A6EBFB8ED6E2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156."}, {"lang": "es", "value": "RouterOS de Mikrotik anterior a versi\u00f3n 6.44.5 (\u00e1rbol de actualizaciones a largo plazo) es vulnerable al agotamiento de la memoria. Mediante el env\u00edo de una petici\u00f3n HTTP dise\u00f1ada, un atacante remoto autenticado puede bloquear el servidor HTTP y, en algunas circunstancias, reiniciar el sistema. El c\u00f3digo no puede ser inyectado."}], "id": "CVE-2019-13638", "lastModified": "2023-11-07T03:03:53.883", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-26T13:15:12.783", "references": [{"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2798"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2964"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:3757"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:3758"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:4061"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0"}, {"source": "cve@mitre.org", "url": "https://github.com/irsl/gnu-patch-vulnerabilities"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2019/Aug/29"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jul/54"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2019-13638"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201908-22"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20190828-0001/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4489"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:2964", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "patch-0:2.7.1-12.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-10-03T00:00:00Z"}, {"advisory": "RHSA-2019:4061", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "patch-0:2.7.1-11.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2019-12-03T00:00:00Z"}, {"advisory": "RHSA-2019:4061", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "patch-0:2.7.1-11.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2019-12-03T00:00:00Z"}, {"advisory": "RHSA-2019:4061", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "patch-0:2.7.1-11.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2019-12-03T00:00:00Z"}, {"advisory": "RHSA-2019:3757", "cpe": "cpe:/o:redhat:rhel_eus:7.5", "package": "patch-0:2.7.1-11.el7_5", "product_name": "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:3758", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "patch-0:2.7.1-11.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:2798", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "patch-0:2.7.6-9.el8_0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-09-19T00:00:00Z"}], "bugzilla": {"description": "patch: OS shell command injection when processing crafted patch files", "id": "1733916", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1733916"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-78", "details": ["GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.", "A flaw was found in GNU patch through version 2.7.6. An ed-style diff payload patch file with shell metacharacters can be used to inject OS shell commands into a system. The ed editor does not need to be present on the vulnerable system for this attack to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2019-13638", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "patch", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "patch", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2019-07-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-13638\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-13638"], "statement": "Red Hat Enterprise Linux 6 is not affected by this vulnerability as the shipped version of patch did not carry the code that introduced this flaw.", "threat_severity": "Important"}