Sudo Project: >> Sudo >> 1.4.0 Security Vulnerabilities
A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them.
CVSS Score
6.6
EPSS Score
0.0
Published
2023-12-23
Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.
CVSS Score
7.0
EPSS Score
0.0
Published
2023-12-22
Sudo before 1.9.13 does not escape control characters in log messages.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-03-16
Sudo before 1.9.13 does not escape control characters in sudoreplay output.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-03-16
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.
CVSS Score
2.5
EPSS Score
0.0
Published
2021-01-12
selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.
CVSS Score
7.8
EPSS Score
0.002
Published
2021-01-12
There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-11-04
Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers
CVSS Score
7.0
EPSS Score
0.001
Published
2019-11-04
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
CVSS Score
8.8
EPSS Score
0.846
Published
2019-10-17
Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.
CVSS Score
8.2
EPSS Score
0.002
Published
2017-06-05
Page 1