GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.
CWE-78: OS Command Injection
A malicious attacker may be able to execute arbitrary code at the privilege level of the calling application.
Apply an Update
Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be vulnerable. Contact your vendor for information about updates or patches. This Red Hat support article and blog post describe ways that Bash can be called from other programs, including network vectors such as CGI, SSH, and DHCP. Shell Shock Exploitation Vectors describes other ways this vulnerability could be exploited.
This document was written by Chris King.