CVE-2022-37703
Publication date 13 September 2022
Last updated 25 August 2025
Ubuntu priority
Description
In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| amanda | ||
| 22.04 LTS jammy |
Fixed 1:3.5.1-8ubuntu1.3
|
|
| 20.04 LTS focal |
Fixed 1:3.5.1-2ubuntu0.3
|
|
| 18.04 LTS bionic |
Fixed 1:3.5.1-1ubuntu0.3
|
|
| 16.04 LTS xenial | Ignored regressions likely | |
| 14.04 LTS trusty | Ignored end of standard support |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.3 · Low
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5966-1
- amanda vulnerabilities
- 23 March 2023
- USN-5966-3
- amanda regression
- 3 April 2023