CVE-2020-14342

It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.
Configurations

Configuration 1 (hide)

cpe:2.3:a:samba:cifs-utils:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

History

21 Nov 2024, 05:03

Type Values Removed Values Added
CVSS v2 : 4.4
v3 : 7.0
v2 : 4.4
v3 : 4.4
References () http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00109.html - Mailing List, Third Party Advisory () http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00109.html - Mailing List, Third Party Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14342 - Issue Tracking, Patch, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14342 - Issue Tracking, Patch, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUMRICFXJVCBBOSKZSKT3HFVQM6VPJU3/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUMRICFXJVCBBOSKZSKT3HFVQM6VPJU3/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBNFSTJOQWVPFZAUJNNMAPY45PW5RTTE/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBNFSTJOQWVPFZAUJNNMAPY45PW5RTTE/ -
References () https://lists.samba.org/archive/samba-technical/2020-September/135747.html - Exploit, Mailing List, Vendor Advisory () https://lists.samba.org/archive/samba-technical/2020-September/135747.html - Exploit, Mailing List, Vendor Advisory
References () https://security.gentoo.org/glsa/202009-16 - Third Party Advisory () https://security.gentoo.org/glsa/202009-16 - Third Party Advisory

07 Nov 2023, 03:17

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DUMRICFXJVCBBOSKZSKT3HFVQM6VPJU3/', 'name': 'FEDORA-2020-ea0b9caac3', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBNFSTJOQWVPFZAUJNNMAPY45PW5RTTE/', 'name': 'FEDORA-2020-cfdd73f1b4', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBNFSTJOQWVPFZAUJNNMAPY45PW5RTTE/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUMRICFXJVCBBOSKZSKT3HFVQM6VPJU3/ -

Information

Published : 2020-09-09 12:15

Updated : 2024-11-21 05:03


NVD link : CVE-2020-14342

Mitre link : CVE-2020-14342

CVE.ORG link : CVE-2020-14342


JSON object : View

Products Affected

opensuse

  • leap

fedoraproject

  • fedora

samba

  • cifs-utils
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')