Improper Handling of Exceptional Conditions
Affecting sudo package, versions <1.8.27-1+deb10u1
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u #$((0xffffffff))" command.
References
- ADVISORY
- Bugtraq Mailing List
- Bugtraq Mailing List
- CONFIRM
- CONFIRM
- CONFIRM
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- Fedora Security Update
- Fedora Security Update
- GENTOO
- MISC
- MISC
- Netapp Security Advisory
- OSS security Advisory
- OSS security Advisory
- OSS security Advisory
- OSS security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
CVSS Score
8.8
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredLow
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityHigh
- CVE
- CVE-2019-14287
- CWE
- CWE-755
- Snyk ID
- SNYK-DEBIAN10-SUDO-473056
- Disclosed
- 17 Oct, 2019
- Published
- 14 Oct, 2019