7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.7%
Issue Overview:
When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode. (CVE-2021-3156)
Affected Packages:
sudo
Issue Correction:
Run yum update sudo to update your system.
New Packages:
i686:
sudo-debuginfo-1.8.23-9.56.amzn1.i686
sudo-devel-1.8.23-9.56.amzn1.i686
sudo-1.8.23-9.56.amzn1.i686
src:
sudo-1.8.23-9.56.amzn1.src
x86_64:
sudo-1.8.23-9.56.amzn1.x86_64
sudo-devel-1.8.23-9.56.amzn1.x86_64
sudo-debuginfo-1.8.23-9.56.amzn1.x86_64
Red Hat: CVE-2021-3156
Mitre: CVE-2021-3156
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | sudo-debuginfo | < 1.8.23-9.56.amzn1 | sudo-debuginfo-1.8.23-9.56.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | sudo-devel | < 1.8.23-9.56.amzn1 | sudo-devel-1.8.23-9.56.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | sudo | < 1.8.23-9.56.amzn1 | sudo-1.8.23-9.56.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | sudo | < 1.8.23-9.56.amzn1 | sudo-1.8.23-9.56.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | sudo-devel | < 1.8.23-9.56.amzn1 | sudo-devel-1.8.23-9.56.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | sudo-debuginfo | < 1.8.23-9.56.amzn1 | sudo-debuginfo-1.8.23-9.56.amzn1.x86_64.rpm |
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.7%