CVE-2014-9680
published 2017-04-24CVE-2014-9680: sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for…
low3.3CVSS 3.0
AVLACLPRLUINSUCLINAN
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_yosemite_v10.10.5_and_security_update_2015-006 | — | — |
| debian | sudo | < sudo 1.8.12-1 (bookworm) | sudo 1.8.12-1 (bookworm) |
| sudo_project | sudo | <= 1.8.11 | — |
| sudo_project | sudo | >= 0 < 1.8.12-1 | 1.8.12-1 |
| sudo_project | sudo | >= 0 < 1.8.12-1 | 1.8.12-1 |
| sudo_project | sudo | >= 0 < 1.8.12-1 | 1.8.12-1 |
| sudo_project | sudo | >= 0 < 1.8.12-1 | 1.8.12-1 |
CVSS provenance
nvdv3.03.3LOWCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
osv3.3LOW