CVE-2010-0426

2010-02-2300:00:00

ubuntu.com

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

9.3%

JSON

sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command
is enabled, permits a match between the name of the pseudo-command and the
name of an executable file in an arbitrary directory, which allows local
users to gain privileges via a crafted executable file, as demonstrated by
a file named sudoedit in a user’s home directory.

Bugs

Notes

Author	Note
jdstrand	“Exploitation of the bug requires that the sudoers file be configured to allow the attacker to run sudoedit. If no users have been granted access to sudoedit there is no impact.” Dapper has 1.6.8. If --secure-path is used and compiled to use execvp(), then sudo should not be vulnerable. Dapper is compiled with --secure-path and happens to use execvp()

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchsudo< 1.6.8p12-1ubuntu6.1UNKNOWN
ubuntu8.04noarchsudo< 1.6.9p10-1ubuntu3.6UNKNOWN
ubuntu8.10noarchsudo< 1.6.9p17-1ubuntu2.2UNKNOWN
ubuntu9.04noarchsudo< 1.6.9p17-1ubuntu3.1UNKNOWN
ubuntu9.10noarchsudo< 1.7.0-1ubuntu2.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	sudo	< 1.6.8p12-1ubuntu6.1	UNKNOWN
ubuntu	8.04	noarch	sudo	< 1.6.9p10-1ubuntu3.6	UNKNOWN
ubuntu	8.10	noarch	sudo	< 1.6.9p17-1ubuntu2.2	UNKNOWN
ubuntu	9.04	noarch	sudo	< 1.6.9p17-1ubuntu3.1	UNKNOWN
ubuntu	9.10	noarch	sudo	< 1.7.0-1ubuntu2.1	UNKNOWN