Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-37705

Publication date 30 January 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.7 · Medium

Score breakdown

A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary (it expects that the argument name and value are separated with a space; however, separating them with an equals sign is also supported),

Status

Package Ubuntu Release Status
amanda 23.04 lunar
Fixed 1:3.5.1-11
22.10 kinetic
Fixed 1:3.5.1-9ubuntu0.3
22.04 LTS jammy
Fixed 1:3.5.1-8ubuntu1.3
20.04 LTS focal
Fixed 1:3.5.1-2ubuntu0.3
18.04 LTS bionic
Fixed 1:3.5.1-1ubuntu0.3
16.04 LTS xenial Ignored regressions likely
14.04 LTS trusty Ignored end of standard support

Severity score breakdown

Parameter Value
Base score 6.7 · Medium
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H