Shell Command Injection Risk in CIFS Utils by Samba
CVE-2020-14342

4.4MEDIUM

Key Information:

Vendor

Samba

Status
Cifs-utils
Vendor
CVE Published:
9 September 2020
đź”” Create Samba Vulnerability Alert

What is CVE-2020-14342?

A serious vulnerability exists in the cifs-utils component of Samba, where the mount.cifs utility can invoke a shell when requesting the Samba password. This behavior presents an opportunity for an attacker, particularly one with elevated privileges or special permission to run mount.cifs (such as through sudo), to exploit this flaw. By leveraging this weakness, an attacker could craft commands that execute arbitrary code, potentially leading to privilege escalation and unauthorized system access.

Affected Version(s)

cifs-utils 6.11

References

https://lists.samba.org/archive/samba-technical/2020-Sept...
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14342
x_refsource_CONFIRM
https://security.gentoo.org/glsa/202009-16
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.