CVE-2022-3715: Buffer Overflow
First published: Wed Sep 14 2022(Updated: )
A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU Bash | >=5.1<5.1.8 | |
| Redhat Enterprise Linux | =9.0 | |
| redhat/bash | <5.1.8 | 5.1.8 |
| debian/bash | 5.0-4 5.2.15-2 5.2.21-2 | |
| ubuntu/bash | <5.1-6ubuntu1.1 | 5.1-6ubuntu1.1 |
| ubuntu/bash | <5.2 | 5.2 |
| IBM Cognos Analytics | <=12.0.0-12.0.2 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Remedy
http://git.savannah.gnu.org/cgit/bash.git/commit/subst.c?id=74091dd4e8086db518b30df7f222691524469998
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2126720
- https://launchpad.net/bugs/cve/CVE-2022-3715
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2122331
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141577
- https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2126720#c7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2126720#c8
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1908373
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1908373&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2126720#c10
- https://access.redhat.com/errata/RHSA-2023:0340
- https://access.redhat.com/security/cve/cve-2022-3715
- http://git.savannah.gnu.org/cgit/bash.git/commit/?id=bdf37a2d4f0f052ffd15d36de3b3a5d28f357000
- https://security-tracker.debian.org/tracker/CVE-2022-3715
- https://access.redhat.com/security/cve/CVE-2022-3715
- https://ubuntu.com/security/notices/USN-6697-1
- https://www.cve.org/CVERecord?id=CVE-2022-3715
- https://nvd.nist.gov/vuln/detail/CVE-2022-3715
- http://git.savannah.gnu.org/cgit/bash.git/commit/subst.c?id=74091dd4e8086db518b30df7f222691524469998
- https://git.rockylinux.org/staging/rpms/bash/-/blob/r9/SOURCES/bash-5.2-check-xform.patch
- https://ubuntu.com/security/CVE-2022-3715
- https://exchange.xforce.ibmcloud.com/vulnerabilities/244507
- https://www.ibm.com/support/pages/node/7156941 (Advisory)
Frequently Asked Questions
What is CVE-2022-3715?
CVE-2022-3715 is a vulnerability found in the bash package where a heap-buffer overflow can occur in valid parameter_transform.
What is the severity of CVE-2022-3715?
The severity of CVE-2022-3715 is high with a CVSS score of 7.8.
Which software is affected by CVE-2022-3715?
The bash package with version up to and including 5.1.8, GNU Bash, and Redhat Enterprise Linux version 9.0 are affected by CVE-2022-3715.
How can CVE-2022-3715 lead to memory problems?
CVE-2022-3715 can lead to memory problems due to the heap-buffer overflow that can occur in valid parameter_transform.
How do I fix CVE-2022-3715?
To fix CVE-2022-3715, update the bash package to version 5.1.8 or apply the relevant patch provided by the vendor.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-3715
- agent/event
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/severity
- agent/tags
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/gnu
- canonical/gnu bash
- version/gnu bash/5.1
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/9.0
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.2
- version/ibm cognos analytics/11.2.0-11.2.4 fp3