CVE-2014-5220 — Command Injection in Project Mdadm

CWE-77 — Command Injection CWE-20 — Improper Input Validation6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 63.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mdadm Project Mdadm Debian Mdadm Opensuse

Timeline

PublishedJun 8

Latest updateMay 14

Description

The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1-5.14.1 does not properly sanitize device names, which allows local attackers to execute arbitrary commands as root.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/mdadm< mdadm 3.3.4-1 (bookworm)

▶NVDmdadm_project/mdadm< 3.3.3

▶Debianmdadm_project/mdadm< 3.3.4-1+3

▶NVDopensuse/opensuse13.2

🔴Vulnerability Details

GHSA

GHSA-m32j-rvq2-jpp7: The mdcheck script of the mdadm package for openSUSE 13↗2022-05-14

▶

OSV

CVE-2014-5220: The mdcheck script of the mdadm package for openSUSE 13↗2018-06-08

▶

📋Vendor Advisories

Red Hat

mdadm: Improper sanitization of device names allows arbitrary command execution↗2014-12-17

▶

Debian

CVE-2014-5220: mdadm - The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1...↗2014

▶

💬Community

Bugzilla

CVE-2014-5220 mdadm: Improper sanitization of device names allows arbitrary command execution↗2018-06-11

▶