CVE-2014-9680
First published: Mon Apr 24 2017(Updated: )
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sudo Project Sudo | <=1.8.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-9680?
The severity of CVE-2014-9680 is considered low, with a score of 3.3.
How do I fix CVE-2014-9680?
To fix CVE-2014-9680, update sudo to version 1.8.12 or later.
What vulnerabilities does CVE-2014-9680 expose?
CVE-2014-9680 allows local users to open arbitrary files for read access by running a program within a sudo session.
Which versions of sudo are affected by CVE-2014-9680?
CVE-2014-9680 affects sudo versions before 1.8.12.
Who is affected by CVE-2014-9680?
Local users on systems running vulnerable versions of sudo before 1.8.12 are affected by CVE-2014-9680.
- collector/nvd-index
- vendor/sudo project
- product/sudo
- canonical/sudo project sudo