CVE-2014-9471

The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.

Published: Jan 16, 2015
Updated: Apr 13, 2023
CVE: CVE-2014-9471
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
gnu / coreutils	-	8.23
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	10.04	10.04.x

http://advisories.mageia.org/MGASA-2015-0029.html
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
http://secunia.com/advisories/62226
http://ubuntu.com/usn/usn-2473-1
http://www.mandriva.com/security/advisories?name=MDVSA-2015:179
http://www.openwall.com/lists/oss-security/2014/11/25/1
http://www.openwall.com/lists/oss-security/2014/11/25/4
http://www.openwall.com/lists/oss-security/2015/01/03/11
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766147
https://security.gentoo.org/glsa/201612-22

Vulnerability Database

289,697

CVE-2014-9471