Vulnerability Description
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The wrapper script 'mount.cifs.wrapper' uses the shell to forward the arguments to the actual mount.cifs binary. The shell evaluates wildcards (such as in an injected string:/home/../tmp/* string).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cantata Project | Cantata | <= 2.3.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2018/06/18/1Mailing ListTechnical Description
- https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6cPatchTechnical Description
- http://www.openwall.com/lists/oss-security/2018/06/18/1Mailing ListTechnical Description
- https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6cPatchTechnical Description
FAQ
What is CVE-2018-12562?
CVE-2018-12562 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The wrapper script 'mount.cifs.wrapper' uses the shell to forward the arguments to the actual mount.cifs binary. ...
How severe is CVE-2018-12562?
CVE-2018-12562 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-12562?
Check the references section above for vendor advisories and patch information. Affected products include: Cantata Project Cantata.