GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.
Command Injection
Apache
SSH
RCE
NVD
Exploit-DB
VulDB
CVSS 3.1
9.8
EPSS
94.2%
Threat
7.8