CVE-2022-29869: 
NixOS vulnerability analysis and mitigation

CVE-2022-29869 affects cifs-utils through version 6.14, a Common Internet File System utilities package. The vulnerability was discovered and reported by Jeffrey Bencteux in April 2022. When verbose logging is enabled, the software can cause an information leak when a file contains equal sign (=) characters but is not a valid credentials file (NVD, Debian LTS).

The vulnerability is classified as an information disclosure issue with a CVSS v3.1 Base Score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness is categorized as CWE-532: Insertion of Sensitive Information into Log File (NVD).

When verbose logging is enabled, invalid credentials file lines may be dumped to stderr, potentially leading to information disclosure in particular conditions when the credentials file given is sensitive and contains equal sign characters (Gentoo Security).

The vulnerability has been fixed in cifs-utils version 6.15. Users are advised to upgrade to this version or later. Multiple distributions have released security updates including Debian (versions 2:6.8-2+deb10u1 for buster and 2:6.11-3.1+deb11u1 for bullseye), Fedora (version 6.15-1 for Fedora 34, 35, and 36), and Gentoo (version 6.15) (Debian Security, Fedora Update, Gentoo Security).