CVE-2014-9680LOW
Description
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
References
http://openwall.com/lists/oss-security/2014/10/15/24
http://rhn.redhat.com/errata/RHSA-2015-1409.html
http://www.securitytracker.com/id/1033158
Details
Source: MITRE
Published: 2017-04-24
Updated: 2018-01-05
Type: CWE-200
Risk Information
CVSS v2.0
Base Score: 2.1
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 3.9
Severity: LOW
CVSS v3.0
Base Score: 3.3
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Impact Score: 1.4
Exploitability Score: 1.8
Severity: LOW
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:sudo_project:sudo:*:p2:*:*:*:*:*:* versions up to 1.8.11 (inclusive)
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 95556 | openSUSE Security Update : sudo (openSUSE-2016-1402) | Nessus | SuSE Local Security Checks | high |
| 95533 | openSUSE Security Update : sudo (openSUSE-2016-1381) | Nessus | SuSE Local Security Checks | high |
| 95317 | SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2016:2904-1) | Nessus | SuSE Local Security Checks | high |
| 86956 | openSUSE Security Update : sudo (openSUSE-2015-687) | Nessus | SuSE Local Security Checks | low |
| 86738 | openSUSE Security Update : sudo (openSUSE-2015-703) | Nessus | SuSE Local Security Checks | low |
| 8981 | Mac OS X < 10.10.5 Multiple Vulnerabilities | Nessus Network Monitor | Operating System Detection | high |
| 85408 | Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | high |
| 85207 | Scientific Linux Security Update : sudo on SL6.x i386/x86_64 (20150722) | Nessus | Scientific Linux Local Security Checks | low |
| 85144 | OracleVM 3.3 : sudo (OVMSA-2015-0103) | Nessus | OracleVM Local Security Checks | low |
| 85104 | Oracle Linux 6 : sudo (ELSA-2015-1409) | Nessus | Oracle Linux Local Security Checks | low |
| 85017 | CentOS 6 : sudo (CESA-2015:1409) | Nessus | CentOS Local Security Checks | low |
| 84943 | RHEL 6 : sudo (RHSA-2015:1409) | Nessus | Red Hat Local Security Checks | low |
| 83971 | SUSE SLED11 / SLES11 Security Update : sudo (SUSE-SU-2015:0985-1) | Nessus | SuSE Local Security Checks | low |
| 82732 | GLSA-201504-02 : sudo: Information disclosure | Nessus | Gentoo Local Security Checks | low |
| 82379 | Mandriva Linux Security Advisory : sudo (MDVSA-2015:126) | Nessus | Mandriva Local Security Checks | high |
| 82144 | Debian DLA-160-1 : sudo security update | Nessus | Debian Local Security Checks | medium |
| 81881 | Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : sudo vulnerability (USN-2533-1) | Nessus | Ubuntu Local Security Checks | low |
| 81458 | Fedora 20 : sudo-1.8.12-1.fc20 (2015-2247) | Nessus | Fedora Local Security Checks | low |
| 81431 | Fedora 21 : sudo-1.8.12-1.fc21 (2015-2281) | Nessus | Fedora Local Security Checks | low |
| 81426 | Debian DSA-3167-1 : sudo - security update | Nessus | Debian Local Security Checks | low |
| 81388 | Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : sudo (SSA:2015-047-03) | Nessus | Slackware Local Security Checks | low |