Description
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4Attack Vector: Local
Complexity: Low
Privileges: Low
User Interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: None
Availability: None
Affected Packages2 packages
🔴Vulnerability Details
3GHSAGHSA-xgww-w8fw-rw7h: sudo before 1↗2022-05-14 CVEListCVE-2014-9680: sudo before 1↗2017-04-24 OSVCVE-2014-9680: sudo before 1↗2017-04-24 📋Vendor Advisories
4UbuntuSudo vulnerability↗2015-03-16 Red Hatsudo: unsafe handling of TZ environment variable↗2014-10-16 DebianCVE-2014-9680: sudo - sudo before 1.8.12 does not ensure that the TZ environment variable is associate...↗2014 AppleCVE-2014-9680: OS X Yosemite v10.10.5 and Security Update 2015-006↗ 💬Community
2Bugzillaprocmail: unsafe handling of TZ environment variable↗2015-02-12 BugzillaCVE-2014-9680 sudo: unsafe handling of TZ environment variable↗2015-02-10