#VU63954 Improper Privilege Management in cifs-utils - CVE-2021-20208
Published: June 2, 2022
Vulnerability identifier: #VU63954
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-20208
CWE-ID: CWE-269
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
cifs-utils
cifs-utils
Software vendor:
Distrotech
Distrotech
Description
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in cifs-utils. A local user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host.
Remediation
Install updates from vendor's website.
External links
- https://bugzilla.samba.org/show_bug.cgi?id=14651
- https://bugzilla.redhat.com/show_bug.cgi?id=1921116
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4BZSJXROEFHYATAAHHRR6P3HUSMPQB3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4HSDIWXXNQBUW5ZS37RQMLJ7THK5AS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WJ3SVBHCSNQZAWSGLB6FBOCFU45FFG/