CVE-2016-10730 — Incorrect Use of Privileged APIs in Amanda

CWE-264 CWE-648 — Incorrect Use of Privileged APIs7 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 73.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Amanda Debian Amanda Redhat Enterprise Linux +1 more

Timeline

PublishedOct 24

Latest updateMay 14

Description

An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. Amstar is an Amanda Application API script. It should not be run by users directly. It uses star to backup and restore data. It runs binaries with root permissions when parsing the command line argument --star-path.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/amanda< amanda 1:3.3.9-1 (bookworm)

▶Debianamanda/amanda< 1:3.3.9-1+2

▶NVDzmanda/amanda3.3.1

Also affects: Enterprise Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-w8gv-pm6w-gq47: An issue was discovered in Amanda 3↗2022-05-14

▶

OSV

CVE-2016-10730: An issue was discovered in Amanda 3↗2018-10-24

▶

📋Vendor Advisories

Red Hat

amanda: Privilege escalation in amstar and amgtar via --*tar-path option↗2016-01-15

▶

Debian

CVE-2016-10730: amanda - An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivi...↗2016

▶

💬Community

Bugzilla

CVE-2016-10730 amanda: Privilege escalation in amstar and amgtar via --*tar-path option↗2018-11-06

▶

Bugzilla

CVE-2016-10730 amanda: amstar Command Injection Privilege Escalation [fedora-all]↗2018-11-06

▶