CVE-2016-10729

Published: Oct 24, 2018Modified: Nov 21, 2024

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root.

Affected (6)

Products: Zmanda: Amanda · Redhat: Enterprise Linux · Debian: Debian Linux

1 product

1 product

Enterprise Linux

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zmanda Amanda	Version 3.3.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 7.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://www.exploit-db.com/exploits/39217/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.exploit-db.com/exploits/39217/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.