For example, you work with Squid. If someone wrote a log parser that called some bash script with the content of the URL as an env var, you’d potentially have problems. Same if someone wrote an auth handler that set the username in an env var and then called a bash script. This is perhaps unusual, but is reasonable - perhaps some 3rd party auth database provides scripts that can be used to authenticate users.
Alternatively, you work with qmail, and one of your users has a .qmail file to handle mail delivery which calls any of the normal mail delivery tools, such as procmail. I send an email to this user with the MAIL FROM set to a bash function definition. qmail passes the ‘MAIL FROM’ address into this as an environment variable called SENDER. And we’re done. http://www.gossamer-threads.com/lists/qmail/users/138578 TLDR; email servers are potentially vulnerable too, even if not running the other already discussed attack vectors. Patch bash everywhere, not just on systems you “know” are vulnerable.