Lucene search

K
cveMitreCVE-2023-22809
HistoryJan 18, 2023 - 5:15 p.m.

CVE-2023-22809

2023-01-1817:15:10
CWE-269
mitre
web.nvd.nist.gov
996
5
cve-2023-22809
sudo
privilege escalation
environment variables
security vulnerability

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

19.7%

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a “–” argument that defeats a protection mechanism, e.g., an EDITOR=‘vim – /path/to/extra/file’ value.

Affected configurations

Nvd
Node
sudo_projectsudoRange1.8.01.9.12
OR
sudo_projectsudoMatch1.9.12-
OR
sudo_projectsudoMatch1.9.12p1
Node
debiandebian_linuxMatch10.0
OR
debiandebian_linuxMatch11.0
Node
fedoraprojectfedoraMatch36
OR
fedoraprojectfedoraMatch37
Node
applemacosRange<13.4
VendorProductVersionCPE
sudo_projectsudo*cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
sudo_projectsudo1.9.12cpe:2.3:a:sudo_project:sudo:1.9.12:-:*:*:*:*:*:*
sudo_projectsudo1.9.12cpe:2.3:a:sudo_project:sudo:1.9.12:p1:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
fedoraprojectfedora36cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
fedoraprojectfedora37cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
applemacos*cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

References

Social References

More

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

19.7%