4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.2%
automount 5.0.8, when a program map uses certain interpreted languages,
uses the calling user’s USER and HOME environment variable values instead
of the values for the user used to run the mapped program, which allows
local users to gain privileges via a Trojan horse program in the user home
directory.
Author | Note |
---|---|
tyhicks | See Debian bug for patches backported to 5.0.8 |
mdeslaur | introduced by the following commit in 5.0.8: https://git.kernel.org/cgit/linux/storage/autofs/autofs.git/commit/?id=93eff4558659f509edc46562208ae3c452949e77 |