CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:H/Au:N/C:P/I:P/A:P
EPSS
Percentile
27.0%
Todd C. Miller reports:
A race condition in Sudo’s command pathname handling
prior to Sudo version 1.6.8p9 that could allow a user with
Sudo privileges to run arbitrary commands.
Exploitation of the bug requires that the user be allowed
to run one or more commands via Sudo and be able to create
symbolic links in the filesystem. Furthermore, a sudoers
entry giving another user access to the ALL pseudo-command
must follow the user’s sudoers entry for the race to
exist.