Cifs Utils
CVE-2020-14342
HIGH
Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.
AnalysisAI
It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. Rated high severity (CVSS 7.0). Public exploit code available.
Technical ContextAI
This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. Affected products include: Samba Cifs-Utils, Fedoraproject Fedora, Opensuse Leap.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.
More in Cifs Utils
View allStack-based buffer overflow in cifskey.c or cifscreds.c in cifs-utils before 6.4, as used in pam_cifscreds, allows remot
In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could le
mount.cifs in cifs-utils 2.6 allows local users to determine the existence of arbitrary files or directories via the fil
A flaw was found in cifs-utils in versions before 6.13. Rated medium severity (CVSS 6.1).
cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) charact
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today