libgssapi and libgssglue prior to 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment variable, as demonstrated using mount.nfs.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
umich libgssglue 0.2 |
||
umich libgssglue 0.1 |
||
umich libgssglue |
||
umich libgssapi 0.2 |
||
umich libgssapi 0.1 |
||
umich libgssapi |