CVE-2023-22809

sudo 1.8.0 to 1.9.12p1 - Privilege Escalation

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

En Sudo anterior a 1.9.12p2, la función sudoedit (también conocida como -e) maneja mal argumentos adicionales pasados en las variables de entorno proporcionadas por el usuario (SUDO_EDITOR, VISUAL y EDITOR), permitiendo a un atacante local agregar entradas arbitrarias a la lista de archivos para procesar. . Esto puede conducir a una escalada de privilegios. Las versiones afectadas son 1.8.0 a 1.9.12.p1. El problema existe porque un editor especificado por el usuario puede contener un argumento "--" que anula un mecanismo de protección, por ejemplo, un valor EDITOR='vim -- /path/to/extra/file'.

A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit.

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include code execution and integer overflow vulnerabilities.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-01-06 CVE Reserved
2023-01-18 CVE Published
2023-02-15 First Exploit
2025-04-04 CVE Updated
2025-06-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-269: Improper Privilege Management

CAPEC

References (32)

URL	Tag	Source
http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html	Third Party Advisory
http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html	Third Party Advisory
http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html	Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/21	Mailing List
https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html	Mailing List
https://security.netapp.com/advisory/ntap-20230127-0015	Third Party Advisory
https://support.apple.com/kb/HT213758	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/172509	2023-05-23
https://packetstorm.news/files/id/174234	2023-08-18
https://packetstorm.news/files/id/171644	2023-04-03
https://www.exploit-db.com/exploits/51217	2023-04-03
https://github.com/n3m1sys/CVE-2023-22809-sudoedit-privesc	2023-02-15
https://github.com/Chan9Yan9/CVE-2023-22809	2023-06-20
https://github.com/Toothless5143/CVE-2023-22809	2023-09-03
https://github.com/3yujw7njai/CVE-2023-22809-sudo-POC	2023-04-06
https://github.com/pashayogi/CVE-2023-22809	2023-06-25
https://github.com/M4fiaB0y/CVE-2023-22809	2023-02-22
https://github.com/asepsaepdin/CVE-2023-22809	2023-07-13
https://github.com/AntiVlad/CVE-2023-22809	2024-08-14
https://github.com/hello4r1end/patch_CVE-2023-22809	2023-06-08
https://github.com/laxmiyamkolu/SUDO-privilege-escalation	2024-08-26
https://github.com/D0rDa4aN919/CVE-2023-22809-Exploiter	2024-09-06
https://github.com/AiK1d/CVE-2023-22809-sudo-POC	2025-02-14
http://www.openwall.com/lists/oss-security/2023/01/19/1	2025-04-04
https://www.sudo.ws/security/advisories/sudoedit_any	2025-04-04
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf	2025-04-04

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH	2023-11-17
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ	2023-11-17
https://security.gentoo.org/glsa/202305-12	2023-11-17
https://www.debian.org/security/2023/dsa-5321	2023-11-17
https://access.redhat.com/security/cve/CVE-2023-22809	2023-05-23
https://bugzilla.redhat.com/show_bug.cgi?id=2161142	2023-05-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				>= 1.8.0 < 1.9.12 Search vendor "Sudo Project" for product "Sudo" and version " >= 1.8.0 < 1.9.12"		-		Affected
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				1.9.12 Search vendor "Sudo Project" for product "Sudo" and version "1.9.12"		-		Affected
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				1.9.12 Search vendor "Sudo Project" for product "Sudo" and version "1.9.12"		p1		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Apple Search vendor "Apple"		Macos Search vendor "Apple" for product "Macos"				< 13.4 Search vendor "Apple" for product "Macos" and version " < 13.4"		-		Affected