An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The 'runtar' setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root. AMANDA before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705