CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
5.1%
sudo, when linked with MIT Kerberos 5 (krb5), does not properly check whether a user can currently authenticate to Kerberos, which allows local users to gain privileges, in a manner unintended by the sudo security model, via certain KRB5_ environment variable settings. NOTE: another researcher disputes this vulnerability, stating that the attacker must be “a user, who can already log into your system, and can already use sudo.”
Vendor | Product | Version | CPE |
---|---|---|---|
mit | kerberos_5 | - | cpe:2.3:a:mit:kerberos_5:-:*:*:*:*:*:*:* |
todd_miller | sudo | 1.6.8_p12 | cpe:2.3:a:todd_miller:sudo:1.6.8_p12:*:*:*:*:*:*:* |