CVE-2014-8126: Input Validation
First published: Tue Dec 02 2014(Updated: )
The HTCondor scheduler can optionally notify a user of completed jobs by sending an email. Due to the way the daemon sent the email message, authenticated users able to submit jobs could execute arbitrary code with the privileges of the condor user. Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/condor | <8.2.6 | 8.2.6 |
| HTCondor | <8.2.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2015-0035.html
- http://rhn.redhat.com/errata/RHSA-2015-0036.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1169800
- https://www-auth.cs.wisc.edu/lists/htcondor-users/2015-January/msg00034.shtml
- https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=4764
- https://htcondor-wiki.cs.wisc.edu/index.cgi/chngview?cn=41878
- https://github.com/htcondor/htcondor/commit/e891cea9970496aac74caf72604475a2b7e6a0ca.patch
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=977841&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=977841&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1181291
- https://rhn.redhat.com/errata/RHSA-2015-0036.html
- https://rhn.redhat.com/errata/RHSA-2015-0035.html
Frequently Asked Questions
What is the severity of CVE-2014-8126?
CVE-2014-8126 is classified as a critical vulnerability due to the potential for arbitrary code execution by authenticated users.
How do I fix CVE-2014-8126?
To fix CVE-2014-8126, upgrade to HTCondor version 8.2.6 or later.
Who is affected by CVE-2014-8126?
Users of HTCondor versions prior to 8.2.6, particularly those allowing job submission, are affected by CVE-2014-8126.
What type of vulnerability is CVE-2014-8126?
CVE-2014-8126 is a code execution vulnerability that allows unauthorized command execution via email notifications.
Can CVE-2014-8126 be exploited remotely?
Yes, CVE-2014-8126 can be exploited remotely by authenticated users through the email notification feature.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8126
- agent/software-canonical-lookup
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/wisc
- canonical/htcondor