CVE-2004-1051

Sažetak

sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname.

Reference

http://lists.apple.com/archives/security-announce/2005/May/msg00001.html
http://marc.info/?l=bugtraq&m=110028877431192&w=2
http://marc.info/?l=bugtraq&m=110598298225675&w=2
http://www.debian.org/security/2004/dsa-596
http://www.mandriva.com/security/advisories?name=MDKSA-2004:133
http://www.securityfocus.com/bid/11668
http://www.sudo.ws/sudo/alerts/bash_functions.html
http://www.trustix.org/errata/2004/0061/
https://exchange.xforce.ibmcloud.com/vulnerabilities/18055
https://www.ubuntu.com/usn/usn-28-1/

CVSS

Base:	7.2
Impact:	10.0
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:L/AC:L/Au:N/C:C/I:C/A:C

Zadnje važnije ažuriranje

11-07-2017 - 01:30

Objavljeno

01-03-2005 - 05:00