CVE-2022-37704
Publication date 30 January 2023
Last updated 25 August 2025
Ubuntu priority
Description
Amanda 3.5.1 allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which may lead to escalation of privileges, denial of service, and information disclosure.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| amanda | ||
| 22.04 LTS jammy |
Fixed 1:3.5.1-8ubuntu1.3
|
|
| 20.04 LTS focal |
Fixed 1:3.5.1-2ubuntu0.3
|
|
| 18.04 LTS bionic |
Fixed 1:3.5.1-1ubuntu0.3
|
|
| 16.04 LTS xenial | Ignored regressions likely | |
| 14.04 LTS trusty | Ignored end of standard support |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.7 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5966-1
- amanda vulnerabilities
- 23 March 2023
- USN-5966-3
- amanda regression
- 3 April 2023