<p>Upgrade <code>Debian:10</code> <code>sudo</code> to version 1.8.27-1+deb10u5 or higher.</p>

Improper Privilege Management Affecting sudo package, versions <1.8.27-1+deb10u5

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

EPSS 0.05% (19^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN10-SUDO-3234744
published 19 Jan 2023
disclosed 18 Jan 2023

Report a new vulnerability Found a mistake?

Introduced: 18 Jan 2023

CVE-2023-22809 Open this link in a new tab CWE-269 Open this link in a new tab

How to fix?

Upgrade Debian:10 sudo to version 1.8.27-1+deb10u5 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream sudo package and not the sudo package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.