Candidate: CVE-2020-14342
PublicDate: 2020-09-09 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14342
 https://lists.samba.org/archive/samba-technical/2020-September/135747.html
Description:
 It was found that cifs-utils' mount.cifs was invoking a shell when
 requesting the Samba password, which could be used to inject arbitrary
 commands. An attacker able to invoke mount.cifs with special permission,
 such as via sudo rules, could use this flaw to escalate their privileges.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://bugzilla.samba.org/show_bug.cgi?id=14442
Priority: low
Discovered-by: Aurélien Aptel
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0 HIGH]


Patches_cifs-utils:
 upstream: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=48a654e2e763fce24c22e1b9c695b42804bbdd4a
upstream_cifs-utils: released (6.11)
precise/esm_cifs-utils: ignored (end of ESM support, was needed)
trusty_cifs-utils: ignored (out of standard support)
trusty/esm_cifs-utils: needed
xenial_cifs-utils: ignored (end of standard support, was needed)
esm-infra/xenial_cifs-utils: needed
bionic_cifs-utils: needed
focal_cifs-utils: needed
groovy_cifs-utils: released (2:6.11-0ubuntu1)
hirsute_cifs-utils: released (2:6.11-0ubuntu1)
impish_cifs-utils: released (2:6.11-0ubuntu1)
jammy_cifs-utils: released (2:6.11-0ubuntu1)
devel_cifs-utils: released (2:6.11-0ubuntu1)