Description
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9Attack Vector: Local
Complexity: Low
Privileges: Low
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High
Affected Packages2 packages
🔴Vulnerability Details
3GHSAGHSA-jh5x-7c5f-4c44: In util-linux before 2↗2022-05-13 OSVCVE-2018-7738: In util-linux before 2↗2018-03-07 CVEListCVE-2018-7738: In util-linux before 2↗2018-03-06 📋Vendor Advisories
3Ubuntuutil-linux vulnerability↗2020-09-17 Red Hatutil-linux: Shell command injection in unescaped bash-completed mount point names↗2018-03-07 DebianCVE-2018-7738: bash-completion - In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain...↗2018 💬Community
2BugzillaCVE-2018-7738 util-linux: Shell command injection in unescaped bash-completed mount point names↗2018-03-07 BugzillaCVE-2018-7738 util-linux: Shell command injection in unescaped bash-completed mount point names [fedora-all]↗2018-03-07