CVE-2017-7642

7.8HIGH

Key Information:

Vendor: Hashicorp
Status: Vagrant Vmware Fusion
Vendor: CVE Published:; 2 August 2017

Summary

The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encoded ruby script or scrub the PATH variable.

References

http://seclists.org/fulldisclosure/2017/Jul/29

mailing-listx_refsource_FULLDISC

https://github.com/hashicorp/vagrant-plugin-changelog/blo...

x_refsource_CONFIRM

https://www.exploit-db.com/exploits/42334/

exploitx_refsource_EXPLOIT-DB

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 2, 2017
Vulnerability Reserved
Apr 10, 2017