Back to search
CVE-2014-9680
Published: Apr 24, 2017
Modified: Aug 6, 2024
PUBLISHED
Description
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
GLSA-201504-02
vendor-advisory
x_refsource_GENTOO
1033158
vdb-entry
x_refsource_SECTRACK
[oss-security] 20141016 Abusing TZ for fun (and little profit)
mailing-list
x_refsource_MLIST
http://www.sudo.ws/alerts/tz.html
x_refsource_CONFIRM
RHSA-2015:1409
vendor-advisory
x_refsource_REDHAT
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now