6.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:S/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%
Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly
check environment variables for the env_delete restriction, which allows
local users with sudo permissions to bypass intended command restrictions
via a crafted environment variable.
Author | Note |
---|---|
jdstrand | Ubuntu uses env_reset by default |
mdeslaur | low priority since this is only vulnerable in a non-default configuration, and not using env_reset is insecure anyway. |