PT-2020-7138 · Shaman · Shaman

Kurt Seifried

Published

2020-02-12

Updated

2020-02-25

CVE-2011-4338

CVSS v2.0

7.2

High

Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Shaman version 1.0.9

Description The issue allows users to gain root privileges without entering the root password by adding the line askforpwd=false to the shaman.conf file. This configuration change enables root access the next time Shaman is run, even if the user never entered the root password.

Recommendations For Shaman version 1.0.9, to resolve the issue, users should remove the line askforpwd=false from the shaman.conf file to ensure that root privileges are only granted after entering the root password. As a temporary workaround, consider restricting access to the shaman.conf file to prevent unauthorized modifications.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2011-4338

Affected Products

Shaman

PT-2020-7138 · Shaman · Shaman

CVE-2011-4338

Weakness Enumeration

Related Identifiers

Affected Products

References · 5