CVE-2020-14342
MEDIUMcifs-utils 5.6-6.10 - OS Command Injection via Samba Password Request
Title source: llmDescription
It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.
References (6)
Core 6
Core References
Exploit, Mailing List, Vendor Advisory x_refsource_misc
https://lists.samba.org/archive/samba-technical/2020-September/135747.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14342
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202009-16
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00109.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUMRICFXJVCBBOSKZSKT3HFVQM6VPJU3/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBNFSTJOQWVPFZAUJNNMAPY45PW5RTTE/
Scores
CVSS v3
4.4
EPSS
0.0013
EPSS Percentile
32.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-78
CWE-77
Status
published
Products (4)
fedoraproject/fedora
32
fedoraproject/fedora
33
opensuse/leap
15.1
samba/cifs-utils
5.6 - 6.10
Published
Sep 09, 2020
Tracked Since
Feb 18, 2026