rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
Created bash tracking bugs for this issue:
Affects: fedora-all [bug 1691775]
An attacker can execute binaries with / in their names even when bash is used as a Restricted Shell, by abusing the environment variable BASH_CMDS.
This issue did not affect the versions of bash as shipped with Red Hat Enterprise Linux 5 as they did not include support for BASH_CMDS environment variable.
Red Hat Virtualization Hypervisor and Management Appliance were affected by this issue, but do not use the restricted bash shell in a way that would be exposed to attackers. Future updates may address this issue.
Is there any plan to have this moderate issue patched on RHEL7? If so is there any ETA on that patch's availability?