CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 1CVE-2023-27320
https://notcve.org/view.php?id=CVE-2023-27320
Sudo before 1.9.13p2 has a double free in the per-command chroot feature. • http://www.openwall.com/lists/oss-security/2023/03/01/8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU https://security.gentoo.org/glsa/202309-12 https://security.netapp.com/advisory/ntap-20230413-0009 https: • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 12CVE-2023-22809 – sudo 1.8.0 to 1.9.12p1 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-22809
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value. En Sudo anterior a 1.9.12p2, la función sudoedit (también conocida como -e) maneja mal argumentos adicionales pasados en las variables de entorno proporcionadas por el usuario (SUDO_EDITOR, VISUAL y EDITOR), permitiendo a un atacante local agregar entradas arbitrarias a la lista de archivos para procesar. . • https://www.exploit-db.com/exploits/51217 https://github.com/n3m1sys/CVE-2023-22809-sudoedit-privesc https://github.com/Chan9Yan9/CVE-2023-22809 https://github.com/Toothless5143/CVE-2023-22809 https://github.com/3yujw7njai/CVE-2023-22809-sudo-POC https://github.com/pashayogi/CVE-2023-22809 https://github.com/M4fiaB0y/CVE-2023-22809 https://github.com/asepsaepdin/CVE-2023-22809 https://github.com/AntiVlad/CVE-2023-22809 http://packetstormsecurity.com/files/171644/sudo-1.9.12p • CWE-269: Improper Privilege Management •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43995
https://notcve.org/view.php?id=CVE-2022-43995
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. Sudo 1.8.0 a 1.9.12, con el backend de contraseña crypt(), contiene un error de matriz fuera de límites plugins/sudoers/auth/passwd.c que puede provocar una sobrelectura del búfer. Esto puede ser activado por usuarios locales arbitrarios con acceso a Sudo ingresando una contraseña de siete caracteres o menos. • https://bugzilla.redhat.com/show_bug.cgi?id=2139911 https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050 https://news.ycombinator.com/item?id=33465707 https://security.gentoo.org/glsa/202211-08 https://www.sudo.ws/security/advisories • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 95%CPEs: 39EXPL: 57CVE-2021-3156 – Sudo Heap-Based Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2021-3156
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. Sudo versiones anteriores a 1.9.5p2 contiene un error de desbordamiento que puede resultar en un desbordamiento de búfer basado en la pila, lo que permite la escalada de privilegios a root a través de "sudoedit -s" y un argumento de línea de comandos que termina con un solo carácter de barra invertida A flaw was found in sudo. A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command (by default, any local user can execute sudo) without authentication. Successful exploitation of this flaw could lead to privilege escalation. • https://www.exploit-db.com/exploits/49521 https://www.exploit-db.com/exploits/49522 https://github.com/blasty/CVE-2021-3156 https://github.com/worawit/CVE-2021-3156 https://github.com/stong/CVE-2021-3156 https://github.com/reverse-ex/CVE-2021-3156 https://github.com/CptGibbon/CVE-2021-3156 https://github.com/Rvn0xsy/CVE-2021-3156-plus https://github.com/mr-r3b00t/CVE-2021-3156 https://github.com/0xdevil/CVE-2021-3156 https://github.com/unauth401/CVE-20 • CWE-122: Heap-based Buffer Overflow CWE-193: Off-by-one Error •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 1CVE-2021-23240 – sudo: symbolic link attack in SELinux-enabled sudoedit
https://notcve.org/view.php?id=CVE-2021-23240
selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable. En la función selinux_edit_copy_tfiles en sudoedit en Sudo versiones anteriores a la 1.9.5, permite a un usuario local poco privilegiado obtener una propiedad del archivo y escalar unos privilegios reemplazando un archivo temporal con un enlace simbólico para un archivo objetivo arbitrario. Esto afecta el soporte de SELinux RBAC en modo permisivo. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-23240 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EE42Y35SMJOLONAIBNYNFC7J44UUZ2Y6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMY4VSSBIND7VAYSN6T7XIWJRWG4GBB3 ht • CWE-59: Improper Link Resolution Before File Access ('Link Following') •