CVE-2019-13638
Published
CVSS v3
N/A
CVSS v2
9.3
HIGH
Affected
1
PROJECT
Description
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here.
GitHub