CVE-2022-42717
published 2022-10-11CVE-2022-42717: An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been…
PriorityP344high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.23%
13.3th percentile
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hashicorp | vagrant | < 2.3.1 | 2.3.1 |
| msrc | cbl2_packer_1.8.7-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
modsecurity-apache vulnerabilities
osv·2023-09-14·CVSS 7.5
CVE-2021-42717 modsecurity-apache vulnerabilities
modsecurity-apache vulnerabilities
It was discovered that ModSecurity incorrectly handled certain nested JSON
objects. An attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS
and Ubuntu 20.04 LTS. (CVE-2021-42717)
It was discovered that ModSecurity incorrectly handled certain HTTP
multipart requests. A remote attacker could possibly use this issue
to bypass ModSecurity restrictions. (CVE-2022-48279)
It was discovered that ModSecurity incorrectly handled certain file
uploads. A remote attacker could possibly use this issue to cause a
buffer overflow and a firewall failure. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-24021)
GHSA
GHSA-mc87-5qgf-5qvj: An issue was discovered in Hashicorp Packer before 2
ghsa_unreviewed·2022-10-12
CVE-2022-42717 [HIGH] CWE-269 GHSA-mc87-5qgf-5qvj: An issue was discovered in Hashicorp Packer before 2
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root.
OSV
CVE-2022-42717: An issue was discovered in Hashicorp Packer before 2
osv·2022-10-11·CVSS 7.8
CVE-2022-42717 [HIGH] CVE-2022-42717: An issue was discovered in Hashicorp Packer before 2
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation, non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root.
Microsoft
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation non-pr
vendor_msrc·2022-10-11·CVSS 7.8
CVE-2022-42717 [HIGH] An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation non-pr
An issue was discovered in Hashicorp Packer before 2.3.1. The recommended sudoers configuration for Vagrant on Linux is insecure. If the host has been configured according to this documentation non-privileged users on the host can leverage a wildcard in the sudoers configuration to execute arbitrary commands as root.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in Oct
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2022-23-vagrant-nfs-sudoers-configuration-allows-for-local-privilege-escalation/45423https://github.com/hashicorp/vagrant/pull/12910https://www.vagrantup.com/docs/synced-folders/nfshttps://discuss.hashicorp.com/t/hcsec-2022-23-vagrant-nfs-sudoers-configuration-allows-for-local-privilege-escalation/45423https://github.com/hashicorp/vagrant/pull/12910https://www.vagrantup.com/docs/synced-folders/nfs
2022-10-11
Published