CVE-2020-14342Command Injection in Samba Cifs-utils

CWE-77Command InjectionCWE-78OS Command Injection13 documents9 sources
Severity
7.0HIGHNVD
CNA4.4
EPSS
0.1%
top 66.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Samba Cifs-utilsFedoraproject FedoraOpensuse Leap
Timeline
PublishedSep 9
Latest updateAug 7

Description

It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages5 packages

Debiansamba/cifs-utils< 2:6.11-1+3
Ubuntusamba/cifs-utils< 2:6.8-1ubuntu1.2+4
NVDsamba/cifs-utils5.66.10
CVEListV5samba/cifs-utils6.11
NVDopensuse/leap15.1

Also affects: Fedora 32, 33

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

5
OSV
cifs-utils vulnerabilities2025-08-07
OSV
cifs-utils vulnerabilities2022-06-02
GHSA
GHSA-7mmj-72wg-6gpv: It was found that cifs-utils' mount2022-05-24
OSV
CVE-2020-14342: It was found that cifs-utils' mount2020-09-09
CVEList
CVE-2020-14342: It was found that cifs-utils' mount2020-09-09

📋Vendor Advisories

5
Ubuntu
cifs-utils vulnerabilities2025-08-07
Ubuntu
cifs-utils vulnerabilities2022-06-02
Microsoft
It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special pe2020-09-08
Red Hat
cifs-utils: shell command injection in mount.cifs2020-09-03
Debian
CVE-2020-14342: cifs-utils - It was found that cifs-utils' mount.cifs was invoking a shell when requesting th...2020

💬Community

2
Bugzilla
CVE-2020-14342 cifs-utils: shell command injection in mount.cifs [fedora-all]2020-09-07
Bugzilla
CVE-2020-14342 cifs-utils: shell command injection in mount.cifs2020-07-27
CVE-2020-14342 — Command Injection in Samba Cifs-utils | cvebase