Vulnerability Description
The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encoded ruby script or scrub the PATH variable.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Vagrant Vmware Fusion | <= 4.0.20 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2017/Jul/29ExploitMailing ListThird Party Advisory
- https://github.com/hashicorp/vagrant-plugin-changelog/blob/master/vagrant-vmwareRelease NotesThird Party Advisory
- https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwareExploitThird Party Advisory
- https://www.exploit-db.com/exploits/42334/Third Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2017/Jul/29ExploitMailing ListThird Party Advisory
- https://github.com/hashicorp/vagrant-plugin-changelog/blob/master/vagrant-vmwareRelease NotesThird Party Advisory
- https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwareExploitThird Party Advisory
- https://www.exploit-db.com/exploits/42334/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2017-7642?
CVE-2017-7642 is a vulnerability with a CVSS score of 7.8 (HIGH). The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.21 allows local users to gain root privileges by leveraging failure to verify the path to the encod...
How severe is CVE-2017-7642?
CVE-2017-7642 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7642?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Vagrant Vmware Fusion.