CVE-2014-8169 — Improper Input Validation in Project Automount

CWE-264 CWE-20 — Improper Input Validation CWE-426 — Untrusted Search Path8 documents8 sources

Severity

4.4MEDIUMNVD

EPSS

0.1%

top 70.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Automount Project Automount Opensuse Redhat Enterprise Linux Desktop +3 more

Timeline

PublishedMar 18

Latest updateMay 14

Description

automount 5.0.8, when a program map uses certain interpreted languages, uses the calling user's USER and HOME environment variable values instead of the values for the user used to run the mapped program, which allows local users to gain privileges via a Trojan horse program in the user home directory.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages6 packages

▶NVDautomount_project/automount5.0.8

▶NVDopensuse/opensuse13.1, 13.2+1

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_hpc_node6.0

🔴Vulnerability Details

GHSA

GHSA-q56m-rhvg-jwg2: automount 5↗2022-05-14

▶

CVEList

CVE-2014-8169: automount 5↗2015-03-18

▶

OSV

CVE-2014-8169: automount 5↗2015-03-18

▶

📋Vendor Advisories

Ubuntu

autofs vulnerability↗2015-04-27

▶

Red Hat

autofs: priv escalation via interpreter load path for program based automount maps↗2015-03-02

▶

Debian

CVE-2014-8169: autofs - automount 5.0.8, when a program map uses certain interpreted languages, uses the...↗2014

▶

💬Community

Bugzilla

CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps↗2015-02-13

▶