Sudo Security Vulnerabilities
A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting...
8.8CVSS
7.3AI Score
0.001EPSS
Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single...
7CVSS
7.5AI Score
0.001EPSS
Sudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to...
8.1CVSS
8.2AI Score
0.001EPSS
5.3CVSS
5.2AI Score
0.001EPSS
5.3CVSS
5.2AI Score
0.001EPSS
7.2CVSS
6.9AI Score
0.002EPSS
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation....
7.8CVSS
7.7AI Score
0.001EPSS
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer.....
7.1CVSS
6.9AI Score
0.0004EPSS
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash...
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary...
2.5CVSS
5.2AI Score
0.001EPSS
selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not....
7.8CVSS
7.7AI Score
0.001EPSS
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist...
7.8CVSS
7.8AI Score
0.002EPSS
In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer...
7.5CVSS
7.3AI Score
0.008EPSS
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a....
7.5CVSS
7.4AI Score
0.008EPSS
There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next...
7.8CVSS
7.5AI Score
0.001EPSS
Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to...
7CVSS
6.8AI Score
0.0004EPSS
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a...
8.8CVSS
8.6AI Score
0.308EPSS
sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to...
7.8CVSS
7.8AI Score
0.0004EPSS
The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is...
7CVSS
6.6AI Score
0.0004EPSS
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command...
8.2CVSS
7.7AI Score
0.001EPSS
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command...
6.4CVSS
6.6AI Score
0.002EPSS
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output,...
3.3CVSS
3.7AI Score
0.0004EPSS
sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen...
7CVSS
6.9AI Score
0.0004EPSS
sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by...
6.1AI Score
0.001EPSS
Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment...
3.5AI Score
0.0004EPSS
sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another....
6.2AI Score
0.0004EPSS
sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling...
6.2AI Score
0.0004EPSS
sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard...
6.1AI Score
0.0004EPSS
sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the...
6.2AI Score
0.0004EPSS
A certain Red Hat script for sudo 1.7.2 on Red Hat Enterprise Linux (RHEL) 5 allows local users to overwrite arbitrary files via a symlink attack on the /var/tmp/nsswitch.conf.bak temporary...
6AI Score
0.0004EPSS
sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax, which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host that has an IPv4...
5.9AI Score
0.0004EPSS
Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for...
6.8AI Score
0.001EPSS
A certain Fedora patch for parse.c in sudo before 1.7.4p5-1.fc14 on Fedora 14 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain...
6.2AI Score
0.0004EPSS
check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo...
7.4AI Score
0.0005EPSS
Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root"...
6.1AI Score
0.0004EPSS
The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH...
6AI Score
0.0004EPSS
The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a...
7.1AI Score
0.0004EPSS
sudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo...
6.6AI Score
0.0004EPSS
sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by.....
6.7AI Score
0.0004EPSS
parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo...
7.8CVSS
6AI Score
0.001EPSS
Multiple race conditions in the (1) Sudo monitor mode and (2) Sysjail policies in Systrace on NetBSD and OpenBSD allow local users to defeat system call interposition, and consequently bypass access control policy and...
7.2AI Score
0.0004EPSS
sudo, when linked with MIT Kerberos 5 (krb5), does not properly check whether a user can currently authenticate to Kerberos, which allows local users to gain privileges, in a manner unintended by the sudo security model, via certain KRB5_ environment variable settings. NOTE: another researcher...
6.6AI Score
0.0004EPSS
sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of...
6.1AI Score
0.001EPSS
Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are...
6.5AI Score
0.0004EPSS
Incomplete blacklist vulnerability in sudo 1.6.8 and earlier allows local users to gain privileges via the (1) SHELLOPTS and (2) PS4 environment variables before executing a bash script on behalf of another user, which are not cleared even though other variables...
6.2AI Score
0.0004EPSS
Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink...
6.1AI Score
0.001EPSS
Sudo 1.6.8p7 on SuSE Linux 9.3, and possibly other Linux distributions, allows local users to gain privileges by using sudo to call su, then entering a blank password and hitting CTRL-C. NOTE: SuSE and multiple third-party researchers have not been able to replicate this issue, stating "Sudo...
7AI Score
0.0004EPSS
Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary files via a symlink attack on temporary...
6.6AI Score
0.0004EPSS
sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full...
6.8AI Score
0.001EPSS
sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with root privileges, which allows local users to read arbitrary files via a symlink attack on the temporary file before quitting...
6.4AI Score
0.0004EPSS