MidnightBSD

Advisories for sudo_project

CVE-2002-0184 HIGH

Sudo before 1.6.6 contains an off-by-one error that can result in a heap-based buffer overflow that may allow local users to gain root privileges via special characters in the -p (prompt) argument, which are not properly expanded.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-131,

Products Affected

Vendor Product Version
debian debian_linux 2.2
sudo_project sudo *
CVE-2014-9680 LOW

sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
sudo_project sudo *
CVE-2015-5602 HIGH

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
sudo_project sudo *
CVE-2015-8239 MEDIUM

The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
sudo_project sudo 1.8.8
sudo_project sudo 1.8.11
sudo_project sudo 1.8.12
sudo_project sudo 1.8.9
sudo_project sudo 1.8.13
sudo_project sudo 1.8.15
sudo_project sudo 1.8.10
sudo_project sudo 1.8.14
CVE-2016-7076 HIGH

sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-184,CWE-77,

Products Affected

Vendor Product Version
sudo_project sudo *
CVE-2017-1000367 MEDIUM

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
sudo_project sudo *
CVE-2017-1000368 HIGH

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
sudo_project sudo *
sudo_project sudo 1.8.20
CVE-2019-14287 HIGH

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-755,

Products Affected

Vendor Product Version
opensuse leap 15.0
fedoraproject fedora 31
redhat openshift_container_platform 4.1
canonical ubuntu_linux 12.04
sudo_project sudo *
redhat virtualization 4.2
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 8.4
fedoraproject fedora 29
canonical ubuntu_linux 19.04
debian debian_linux 9.0
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
netapp element_software_management_node -
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server 5.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_aus 6.6
redhat enterprise_linux_server 6.0
redhat enterprise_linux_workstation 7.0
fedoraproject fedora 30
redhat enterprise_linux_server_tus 8.2
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_desktop 6.0
debian debian_linux 10.0
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_server_aus 7.4
canonical ubuntu_linux 16.04
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_aus 6.5
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.04
redhat enterprise_linux 8.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_tus 7.4
opensuse leap 15.1
CVE-2019-18634 MEDIUM

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 9.0
debian debian_linux 10.0
sudo_project sudo *
debian debian_linux 8.0
CVE-2019-18684 MEDIUM

Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
sudo_project sudo *
CVE-2021-23239 LOW

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.0 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
netapp hci_management_node -
debian debian_linux 10.0
sudo_project sudo *
fedoraproject fedora 33
netapp cloud_backup -
netapp solidfire -
fedoraproject fedora 32
CVE-2021-23240 MEDIUM

selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
netapp hci_management_node -
sudo_project sudo *
fedoraproject fedora 33
netapp solidfire -
fedoraproject fedora 32
CVE-2021-3156 HIGH

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-193,CWE-193,

Products Affected

Vendor Product Version
netapp hci_management_node -
sudo_project sudo *
netapp oncommand_unified_manager_core_package -
oracle communications_performance_intelligence_center *
netapp cloud_backup -
synology skynas_firmware -
oracle micros_es400_firmware *
fedoraproject fedora 32
oracle micros_workstation_5a_firmware 5a
synology diskstation_manager_unified_controller 3.0
beyondtrust privilege_management_for_mac *
sudo_project sudo 1.9.5
debian debian_linux 9.0
mcafee web_gateway 10.0.4
synology diskstation_manager 6.2
oracle tekelec_platform_distribution *
netapp ontap_tools 9
netapp ontap_select_deploy_administration_utility -
oracle micros_kitchen_display_system_firmware 210
synology vs960hd_firmware -
mcafee web_gateway 8.2.17
beyondtrust privilege_management_for_unix/linux *
netapp active_iq_unified_manager -
debian debian_linux 10.0
oracle micros_workstation_6_firmware *
fedoraproject fedora 33
mcafee web_gateway 9.2.8
netapp solidfire -
oracle micros_compact_workstation_3_firmware 310
CVE-2022-43995

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.

Products Affected

Vendor Product Version
sudo_project sudo *
sudo_project sudo 1.9.12
CVE-2023-22809

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 36
apple macos *
debian debian_linux 10.0
debian debian_linux 11.0
sudo_project sudo *
sudo_project sudo 1.9.12
fedoraproject fedora 37
CVE-2023-27320

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 36
fedoraproject fedora 38
sudo_project sudo *
fedoraproject fedora 37
sudo_project sudo 1.9.13
CVE-2023-28486

Sudo before 1.9.13 does not escape control characters in log messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
sudo_project sudo *
CVE-2023-28487

Sudo before 1.9.13 does not escape control characters in sudoreplay output.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
sudo_project sudo *
CVE-2023-42465

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
sudo_project sudo *
CVE-2023-7090

A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L 2.3 3.7
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
sudo_project sudo *
CVE-2025-32462

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 2.8 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N 1.1 1.4

Products Affected

Vendor Product Version
sudo_project sudo 1.9.17
sudo_project sudo *
CVE-2025-32463

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 9.3 CRITICAL CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.5 6.0

Products Affected

Vendor Product Version
opensuse leap 15.6
debian debian_linux 11.0
sudo_project sudo 1.9.17
sudo_project sudo *
redhat enterprise_linux 10.0
debian debian_linux 12.0
canonical ubuntu_linux 24.10
canonical ubuntu_linux 25.04
suse linux_enterprise_real_time 15.0
suse linux_enterprise_desktop 15
canonical ubuntu_linux 24.04
suse linux_enterprise_server_for_sap 12
debian debian_linux 13.0
canonical ubuntu_linux 22.04