Description
automount 5.0.8, when a program map uses certain interpreted languages, uses the calling user's USER and HOME environment variable values instead of the values for the user used to run the mapped program, which allows local users to gain privileges via a Trojan horse program in the user home directory.
References (7)
Core 7
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2579-1
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1344.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1192565
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Vendor Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-03/msg00033.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/73211
Issue Tracking x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=917977
Scores
EPSS
0.0011
EPSS Percentile
28.9%
Details
CWE
CWE-264
Status
published
Products (7)
automount_project/automount
5.0.8
opensuse/opensuse
13.1
opensuse/opensuse
13.2
redhat/enterprise_linux_desktop
6.0
redhat/enterprise_linux_hpc_node
6.0
redhat/enterprise_linux_server
6.0
redhat/enterprise_linux_workstation
6.0
Published
Mar 18, 2015
Tracked Since
Feb 18, 2026