CVE-2014-9680

LOW

Description

sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.

References

http://openwall.com/lists/oss-security/2014/10/15/24

http://rhn.redhat.com/errata/RHSA-2015-1409.html

http://www.securitytracker.com/id/1033158

http://www.sudo.ws/alerts/tz.html

https://security.gentoo.org/glsa/201504-02

Details

Source: MITRE

Published: 2017-04-24

Updated: 2018-01-05

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 2.1

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3.0

Base Score: 3.3

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 1.8

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:sudo_project:sudo:*:p2:*:*:*:*:*:* versions up to 1.8.11 (inclusive)

Tenable Plugins

View all (21 total)

IDNameProductFamilySeverity
95556openSUSE Security Update : sudo (openSUSE-2016-1402)NessusSuSE Local Security Checks
high
95533openSUSE Security Update : sudo (openSUSE-2016-1381)NessusSuSE Local Security Checks
high
95317SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2016:2904-1)NessusSuSE Local Security Checks
high
86956openSUSE Security Update : sudo (openSUSE-2015-687)NessusSuSE Local Security Checks
low
86738openSUSE Security Update : sudo (openSUSE-2015-703)NessusSuSE Local Security Checks
low
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
85207Scientific Linux Security Update : sudo on SL6.x i386/x86_64 (20150722)NessusScientific Linux Local Security Checks
low
85144OracleVM 3.3 : sudo (OVMSA-2015-0103)NessusOracleVM Local Security Checks
low
85104Oracle Linux 6 : sudo (ELSA-2015-1409)NessusOracle Linux Local Security Checks
low
85017CentOS 6 : sudo (CESA-2015:1409)NessusCentOS Local Security Checks
low
84943RHEL 6 : sudo (RHSA-2015:1409)NessusRed Hat Local Security Checks
low
83971SUSE SLED11 / SLES11 Security Update : sudo (SUSE-SU-2015:0985-1)NessusSuSE Local Security Checks
low
82732GLSA-201504-02 : sudo: Information disclosureNessusGentoo Local Security Checks
low
82379Mandriva Linux Security Advisory : sudo (MDVSA-2015:126)NessusMandriva Local Security Checks
high
82144Debian DLA-160-1 : sudo security updateNessusDebian Local Security Checks
medium
81881Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : sudo vulnerability (USN-2533-1)NessusUbuntu Local Security Checks
low
81458Fedora 20 : sudo-1.8.12-1.fc20 (2015-2247)NessusFedora Local Security Checks
low
81431Fedora 21 : sudo-1.8.12-1.fc21 (2015-2281)NessusFedora Local Security Checks
low
81426Debian DSA-3167-1 : sudo - security updateNessusDebian Local Security Checks
low
81388Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : sudo (SSA:2015-047-03)NessusSlackware Local Security Checks
low