sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders

Summary Users with no or very limited sudo privileges can determine whether files exists in folders that they otherwise cannot access using sudo --list . PoC As root: mkdir /tmp/foo chmod a-rwx /tmp/foo touch /tmp/foo/secretfile As a user without any or limited sudo rights: $ sudo --list...

UBUNTU-CVE-2019-19232

In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as ...