CVE-2014-9680

Impact:
Moderate
Public Date:
2014-10-16
CWE:
CWE-20
Bugzilla:
1191144: CVE-2014-9680 sudo: unsafe handling of TZ environment variable
It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed.

Find out more about CVE-2014-9680 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the default sudo configuration in Red Hat Enterprise Linux 5, 6, and 7.

CVSS v2 metrics

Base Score 3
Base Metrics AV:L/AC:M/Au:S/C:N/I:P/A:P
Access Vector Local
Access Complexity Medium
Authentication Single
Confidentiality Impact None
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (sudo) RHSA-2015:1409 2015-07-20
Red Hat Enterprise Linux 7 (sudo) RHBA-2015:2424 2015-11-19

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 5 sudo Will not fix
Red Hat Enterprise Linux 4 sudo Will not fix

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.