VuXML ID | Description |
3a1474ba-f646-11e9-b0af-b888e347c638 | sudo -- Potential bypass of Runas user restrictions
Todd C. Miller reports:
When sudo is configured to allow a user to run commands as an
arbitrary user via the ALL keyword in a Runas specification, it
is possible to run commands as root by specifying the user ID -1
or 4294967295.
This can be used by a user with sufficient sudo privileges to
run commands as root even if the Runas specification explicitly
disallows root access as long as the ALL keyword is listed first
in the Runas specification.
Log entries for commands run this way will list the target user
as 4294967295 instead of root. In addition, PAM session modules
will not be run for the command.
Discovery 2019-10-15 Entry 2019-10-24 sudo
< 1.8.28
https://www.sudo.ws/alerts/minus_1_uid.html
CVE-2019-14287
|
6193b3f6-548c-11eb-ba01-206a8a720317 | sudo -- Potential information leak in sudoedit
Todd C. Miller reports:
A potential information leak in sudoedit that could be used to
test for the existence of directories not normally accessible to
the user in certain circumstances. When creating a new file,
sudoedit checks to make sure the parent directory of the new file
exists before running the editor. However, a race condition exists
if the invoking user can replace (or create) the parent directory.
If a symbolic link is created in place of the parent directory,
sudoedit will run the editor as long as the target of the link
exists.If the target of the link does not exist, an error message
will be displayed. The race condition can be used to test for the
existence of an arbitrary directory. However, it _cannot_ be used
to write to an arbitrary location.
Discovery 2021-01-11 Entry 2021-01-11 sudo
< 1.9.5
https://www.sudo.ws/stable.html#1.9.5
CVE-2021-23239
|
b4e5f782-442d-11ea-9ba9-206a8a720317 | sudo -- Potential bypass of Runas user restrictions
Todd C. Miller reports:
Sudo's pwfeedback option can be used to provide visual feedback
when the user is inputting their password. For each key press,
an asterisk is printed. This option was added in response to
user confusion over how the standard Password: prompt disables
the echoing of key presses. While pwfeedback is not enabled by
default in the upstream version of sudo, some systems, such as
Linux Mint and Elementary OS, do enable it in their default
sudoers files.
Due to a bug, when the pwfeedback option is enabled in the
sudoers file, a user may be able to trigger a stack-based buffer
overflow. This bug can be triggered even by users not listed in
the sudoers file. There is no impact unless pwfeedback has been
enabled.
Discovery 2020-01-30 Entry 2020-01-30 sudo
< 1.8.31
https://www.sudo.ws/alerts/pwfeedback.html
CVE-2019-18634
|
3310014a-5ef9-11ed-812b-206a8a720317 | sudo -- Potential out-of-bounds write for small passwords
SO-AND-SO reports:
Sudo 1.8.0 through 1.9.12, with the crypt() password backend,
contains a plugins/sudoers/auth/passwd.c array-out-of-bounds
error that can result in a heap-based buffer over-read. This
can be triggered by arbitrary local users with access to sudo
by entering a password of seven characters or fewer. The impact
could vary depending on the system libraries, compiler,
and processor architecture.
Discovery 2022-11-07 Entry 2022-11-07 sudo
>= 1.8.0 lt 1.9.12p1
CVE-2022-43995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43995
|
f3cf4b33-6013-11eb-9a0e-206a8a720317 | sudo -- Multiple vulnerabilities
Todd C. Miller reports:
When invoked as sudoedit, the same set of command line options
are now accepted as for sudo -e. The -H and -P options are now
rejected for sudoedit and sudo -e which matches the sudo 1.7
behavior. This is part of the fix for CVE-2021-3156.
Fixed a potential buffer overflow when unescaping backslashes in
the command's arguments. Normally, sudo escapes special characters
when running a command via a shell (sudo -s or sudo -i). However,
it was also possible to run sudoedit with the -s or -i flags in
which case no escaping had actually been done, making a buffer
overflow possible. This fixes CVE-2021-3156.
Discovery 2021-01-26 Entry 2021-01-26 sudo
< 1.9.5p2
https://www.sudo.ws/stable.html#1.9.5p2
CVE-2021-3156
|