CVE-2014-9680

sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
Configurations

Configuration 1 (hide)

cpe:2.3:a:sudo_project:sudo:*:p2:*:*:*:*:*:*

History

21 Nov 2024, 02:21

Type Values Removed Values Added
References () http://openwall.com/lists/oss-security/2014/10/15/24 - Exploit, Mailing List, Third Party Advisory () http://openwall.com/lists/oss-security/2014/10/15/24 - Exploit, Mailing List, Third Party Advisory
References () http://rhn.redhat.com/errata/RHSA-2015-1409.html - () http://rhn.redhat.com/errata/RHSA-2015-1409.html -
References () http://www.securitytracker.com/id/1033158 - () http://www.securitytracker.com/id/1033158 -
References () http://www.sudo.ws/alerts/tz.html - Vendor Advisory () http://www.sudo.ws/alerts/tz.html - Vendor Advisory
References () https://security.gentoo.org/glsa/201504-02 - () https://security.gentoo.org/glsa/201504-02 -

Information

Published : 2017-04-24 06:59

Updated : 2024-11-21 02:21


NVD link : CVE-2014-9680

Mitre link : CVE-2014-9680

CVE.ORG link : CVE-2014-9680


JSON object : View

Products Affected

sudo_project

  • sudo
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor