Vulnerability CVE-2014-8169


Published: 2015-03-18

Description:
automount 5.0.8, when a program map uses certain interpreted languages, uses the calling user's USER and HOME environment variable values instead of the values for the user used to run the mapped program, which allows local users to gain privileges via a Trojan horse program in the user home directory.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.4/10
6.4/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Redhat -> Enterprise linux desktop 
Redhat -> Enterprise linux hpc node 
Redhat -> Enterprise linux server 
Redhat -> Enterprise linux workstation 
Opensuse -> Opensuse 
Novell -> Opensuse 
Automount project -> Automount 

 References:
http://lists.opensuse.org/opensuse-updates/2015-03/msg00033.html
http://rhn.redhat.com/errata/RHSA-2015-1344.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/73211
http://www.ubuntu.com/usn/USN-2579-1
https://bugzilla.redhat.com/show_bug.cgi?id=1192565
https://bugzilla.suse.com/show_bug.cgi?id=917977

Copyright 2024, cxsecurity.com

 

Back to Top