ALAS-2023-1808 --- amandaID: oval:org.secpod.oval:def:1601773 | Date: (C)2023-09-01 (M)2024-02-26 |
Class: PATCH | Family: unix |
An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The 'runtar' setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root. AMANDA before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705
Platform: |
Amazon Linux AMI |