CVE-2022-37703

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Amanda version 3.5.1

Description An information leak issue was discovered in the calcsize SUID binary, allowing an attacker to determine if a directory exists anywhere in the file system. The binary uses the opendir() function as root without path validation, enabling an attacker to provide an arbitrary path.

Recommendations For Amanda version 3.5.1, consider restricting access to the calcsize SUID binary until a patch is available, or apply configuration changes to limit the binary's ability to access arbitrary paths. As a temporary workaround, consider disabling the use of the opendir() function in the calcsize binary to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2022-37703

DLA-3681-1

DLA-3880-1

OPENSUSE-SU-2024:12808-1

USN-5966-1

USN-5966-2

USN-5966-3

Affected Products

Amanda

Linuxmint

Ubuntu

CVE-2022-37703

Weakness Enumeration

Related Identifiers

Affected Products

References · 34