{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-37703", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-04T16:09:48.244Z", "dateReserved": "2022-08-08T00:00:00.000Z", "datePublished": "2022-09-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-12-03T11:06:20.751Z"}, "descriptions": [{"lang": "en", "value": "In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://www.amanda.org/"}, {"url": "https://github.com/MaherAzzouzi/CVE-2022-37703"}, {"url": "https://bugs.gentoo.org/870037"}, {"name": "FEDORA-2023-3d0619d767", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ATMGMVS3QDN6OMKMHGUTUTU7NS7HR3BZ/"}, {"name": "FEDORA-2023-1293196f34", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYREA6LFXF5M7K4WLNJV5VNQPS4MTBW2/"}, {"name": "FEDORA-2023-e295804b3d", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5DCLSX5YYTWMKSMDL67M5STZ5ZDSOXK/"}, {"url": "https://github.com/zmanda/amanda/releases/tag/tag-community-3.5.3"}, {"name": "[debian-lts-announce] 20231203 [SECURITY] [DLA 3681-1] amanda security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00003.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.amanda.org/", "tags": ["x_transferred"]}, {"url": "https://github.com/MaherAzzouzi/CVE-2022-37703", "tags": ["x_transferred"]}, {"url": "https://bugs.gentoo.org/870037", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-3d0619d767", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ATMGMVS3QDN6OMKMHGUTUTU7NS7HR3BZ/"}, {"name": "FEDORA-2023-1293196f34", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYREA6LFXF5M7K4WLNJV5VNQPS4MTBW2/"}, {"name": "FEDORA-2023-e295804b3d", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5DCLSX5YYTWMKSMDL67M5STZ5ZDSOXK/"}, {"url": "https://github.com/zmanda/amanda/releases/tag/tag-community-3.5.3", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20231203 [SECURITY] [DLA 3681-1] amanda security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00003.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00023.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T16:09:48.244Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amanda:amanda:3.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "97C10DDE-E81D-42F4-9A24-F1F11A2B7A6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path."}, {"lang": "es", "value": "En Amanda versi\u00f3n 3.5.1, se encontr\u00f3 una vulnerabilidad de filtrado de informaci\u00f3n en el binario SUID de calcsize. Un atacante puede abusar de esta vulnerabilidad para saber si un directorio se presenta o no en cualquier parte del fs. El binario usar\u00e1 \"opendir()\" como root directamente sin comprobar la ruta, permitiendo al atacante proporcionar una ruta arbitraria"}], "id": "CVE-2022-37703", "lastModified": "2025-11-04T16:15:50.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-13T20:15:09.793", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.amanda.org/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://bugs.gentoo.org/870037"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/MaherAzzouzi/CVE-2022-37703"}, {"source": "cve@mitre.org", "url": "https://github.com/zmanda/amanda/releases/tag/tag-community-3.5.3"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00003.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5DCLSX5YYTWMKSMDL67M5STZ5ZDSOXK/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ATMGMVS3QDN6OMKMHGUTUTU7NS7HR3BZ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYREA6LFXF5M7K4WLNJV5VNQPS4MTBW2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.amanda.org/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bugs.gentoo.org/870037"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/MaherAzzouzi/CVE-2022-37703"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/zmanda/amanda/releases/tag/tag-community-3.5.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00023.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5DCLSX5YYTWMKSMDL67M5STZ5ZDSOXK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ATMGMVS3QDN6OMKMHGUTUTU7NS7HR3BZ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYREA6LFXF5M7K4WLNJV5VNQPS4MTBW2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "amanda: information leak (discovery of directory existence)", "id": "2126847", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126847"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-402", "details": ["In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.", "An information leak vulnerability was found in Amanda in the calcsize SUID binary. This flaw allows an attacker to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path."], "name": "CVE-2022-37703", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "amanda", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "amanda", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "amanda", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2022-09-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-37703\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37703\nhttps://github.com/MaherAzzouzi/CVE-2022-37703"], "threat_severity": "Low"}