libgssapi and libgssglue before 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment variable, as demonstrated using mount.nfs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| umich | libgssapi | 0.2 |
| umich | libgssglue | 0.1 |
| umich | libgssapi | * |
| umich | libgssapi | 0.1 |
| umich | libgssglue | * |
| umich | libgssglue | 0.2 |