CVE-2009-4273

Exp

stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request.

Published: 2010-01-26 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-4273 is rated High Exploit Risk (87.5/100): CVSS Critical severity, with high exploitation likelihood (EPSS 22.40%, 96th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2009-4273

EDB-ID Source Kind Published Link
33535 exploit_db edb 2010-01-15 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2009-4273

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-14 23.40% 22.40% -1.00%
2 2026-02-03 20.18% 23.40% +3.22%
3 2025-03-30 20.18%

Full EPSS history (12 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-4273

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
10.0 2.0 HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 10.0 10.0 [email protected]

Weakness enumeration for CVE-2009-4273

OS Trackers for CVE-2009-4273

vendor priority summary link
debian not yet assigned CVE-2009-4273 not yet assigned priority: Debian including 1 source packages (systemtap), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2009-4273
redhat high https://access.redhat.com/security/cve/CVE-2009-4273
suse critical CVE-2009-4273 severity critical: SUSE including 48 source package names (systemtap-0.7.1-42.5.1, systemtap-1.0-0.15.16, …), 60 product×package rows across 25 product lines (SUSE Linux Enterprise High Performance Computing 12 SP5, SUSE Linux Enterprise Module for Development Tools 15, … (25 product lines)): Fixed 60. https://www.suse.com/security/cve/CVE-2009-4273/
ubuntu medium CVE-2009-4273 medium priority: Ubuntu including 1 source packages (systemtap), 13 status rows across 13 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, precise, quantal, raring, upstream): ignored 8, not-affected 3, DNE 1, released 1. https://ubuntu.com/security/CVE-2009-4273

Affected software / configurations for CVE-2009-4273

Vendor Product Version Raw CPE
systemtap systemtap <= 1.0 cpe:2.3:a:systemtap:systemtap:*:*:*:*:*:*:*:*
systemtap systemtap 0.2.2 cpe:2.3:a:systemtap:systemtap:0.2.2:*:*:*:*:*:*:*
systemtap systemtap 0.3 cpe:2.3:a:systemtap:systemtap:0.3:*:*:*:*:*:*:*
systemtap systemtap 0.4 cpe:2.3:a:systemtap:systemtap:0.4:*:*:*:*:*:*:*
systemtap systemtap 0.5 cpe:2.3:a:systemtap:systemtap:0.5:*:*:*:*:*:*:*
systemtap systemtap 0.5.3 cpe:2.3:a:systemtap:systemtap:0.5.3:*:*:*:*:*:*:*
systemtap systemtap 0.5.4 cpe:2.3:a:systemtap:systemtap:0.5.4:*:*:*:*:*:*:*
systemtap systemtap 0.5.5 cpe:2.3:a:systemtap:systemtap:0.5.5:*:*:*:*:*:*:*
systemtap systemtap 0.5.7 cpe:2.3:a:systemtap:systemtap:0.5.7:*:*:*:*:*:*:*
systemtap systemtap 0.5.8 cpe:2.3:a:systemtap:systemtap:0.5.8:*:*:*:*:*:*:*
systemtap systemtap 0.5.9 cpe:2.3:a:systemtap:systemtap:0.5.9:*:*:*:*:*:*:*
systemtap systemtap 0.5.10 cpe:2.3:a:systemtap:systemtap:0.5.10:*:*:*:*:*:*:*
systemtap systemtap 0.5.12 cpe:2.3:a:systemtap:systemtap:0.5.12:*:*:*:*:*:*:*
systemtap systemtap 0.5.13 cpe:2.3:a:systemtap:systemtap:0.5.13:*:*:*:*:*:*:*
systemtap systemtap 0.5.14 cpe:2.3:a:systemtap:systemtap:0.5.14:*:*:*:*:*:*:*
systemtap systemtap 0.6 cpe:2.3:a:systemtap:systemtap:0.6:*:*:*:*:*:*:*
systemtap systemtap 0.6.2 cpe:2.3:a:systemtap:systemtap:0.6.2:*:*:*:*:*:*:*
systemtap systemtap 0.7 cpe:2.3:a:systemtap:systemtap:0.7:*:*:*:*:*:*:*
systemtap systemtap 0.7.2 cpe:2.3:a:systemtap:systemtap:0.7.2:*:*:*:*:*:*:*
systemtap systemtap 0.8 cpe:2.3:a:systemtap:systemtap:0.8:*:*:*:*:*:*:*
systemtap systemtap 0.9 cpe:2.3:a:systemtap:systemtap:0.9:*:*:*:*:*:*:*
systemtap systemtap 0.9.5 cpe:2.3:a:systemtap:systemtap:0.9.5:*:*:*:*:*:*:*
systemtap systemtap 0.9.7 cpe:2.3:a:systemtap:systemtap:0.9.7:*:*:*:*:*:*:*
systemtap systemtap 0.9.8 cpe:2.3:a:systemtap:systemtap:0.9.8:*:*:*:*:*:*:*
systemtap systemtap 0.9.9 cpe:2.3:a:systemtap:systemtap:0.9.9:*:*:*:*:*:*:*

References for CVE-2009-4273

URL Tags
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035201.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035261.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034036.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034041.html Patch
http://lists.fedoraproject.org/pipermail/scm-commits/2010-February/394714.html
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html
http://secunia.com/advisories/38154 Vendor Advisory
http://secunia.com/advisories/38216 Vendor Advisory
http://secunia.com/advisories/38765
http://secunia.com/advisories/39656
http://sourceware.org/bugzilla/show_bug.cgi?id=11105
http://sourceware.org/ml/systemtap/2010-q1/msg00142.html
http://sourceware.org/systemtap/ftp/releases/systemtap-1.1.tar.gz Patch
http://www.redhat.com/support/errata/RHSA-2010-0124.html
http://www.vupen.com/english/advisories/2010/0169 Vendor Advisory
http://www.vupen.com/english/advisories/2010/1001
https://bugzilla.redhat.com/show_bug.cgi?id=550172
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11417
cvelogic Threat Intelligence