Sudo Vulnerability in Version Prior to 1.8.12 Allows Local File Access
CVE-2014-9680

3.3LOW

Key Information:

Vendor

Sudo Project

Status
Sudo
Vendor
CVE Published:
24 April 2017

What is CVE-2014-9680?

The sudo program, specifically versions before 1.8.12, has an improper input validation vulnerability that allows local users to gain unauthorized read access to arbitrary files. This exploitation occurs through manipulation of the TZ environment variable and can involve executing a program within a sudo session. This can be achieved by impacting terminal output and discarding kernel-log messages, leading to significant risks for system integrity and security.

References

https://security.gentoo.org/glsa/201504-02
vendor-advisoryx_refsource_GENTOO
http://www.securitytracker.com/id/1033158
vdb-entryx_refsource_SECTRACK
http://openwall.com/lists/oss-security/2014/10/15/24
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.