Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
3.3
CVSSv3

CVE-2014-9680

Published: 24/04/2017 Updated: 05/01/2018
CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 3.3 | Impact Score: 1.4 | Exploitability Score: 1.8
VMScore: 187
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

sudo prior to 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

sudo project sudo

Vendor Advisories

Ubuntu Security Notice: sudo vulnerability
Sudo would allow unintended access to files ...
Debian CVElist Bug Report Logs: sudo: CVE-2014-9680: preserves TZ by default
Debian Bug report logs - #772707 sudo: CVE-2014-9680: preserves TZ by default Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gagcom>; Source for sudo is src:sudo (PTS, buildd, popcon) Reported by: Jakub Wilk <jwilk@debianorg> Date: Wed, 10 Dec 2014 11:36:07 UTC Severity: important Tags: fixed-upstream, ...
Debian CVElist Bug Report Logs: CVE-2015-5602: Unauthorized privilege escalation in sudoedit
Debian Bug report logs - #804149 CVE-2015-5602: Unauthorized privilege escalation in sudoedit Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gagcom>; Source for sudo is src:sudo (PTS, buildd, popcon) Reported by: Laurent Bigonville <bigon@debianorg> Date: Thu, 5 Nov 2015 13:15:01 UTC Severity: critical ...
Red Hat: CVE-2014-9680
It was discovered that sudo did not perform any checks of the TZ environment variable value If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands Note: The default sudoers confi ...

Github Repositories

https://github.com/perlun/sudo-1.8.3p1-patched

Custom version of sudo 1.8.3p1 with CVE-2021-3156 patches applied

sudo-183p1-patched This is a custom version of sudo, based on the sudo 183p1 package as provided by Canonical for Ubuntu 1204 using the URLs below, with the CVE-2021-3156 patches applied usarchiveubuntucom/ubuntu/pool/main/s/sudo/sudo_183p1-1ubuntu37dsc usarchiveubuntucom/ubuntu/pool/main/s/sudo/sudo_183p1origtargz usarchiveubuntuco

References

CWE-200http://www.sudo.ws/alerts/tz.htmlhttp://openwall.com/lists/oss-security/2014/10/15/24https://security.gentoo.org/glsa/201504-02http://www.securitytracker.com/id/1033158http://rhn.redhat.com/errata/RHSA-2015-1409.htmlhttps://nvd.nist.govhttps://usn.ubuntu.com/2533-1/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
logic flawCVE-2024-23692CVE-2024-26229CVE-2024-35255CVE-2024-5835CVE-2024-5837XML external entitydosCVE-2024-5813
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook