CVE-2023-28486

sudo: Sudo does not escape control characters in log messages

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sudo before 1.9.13 does not escape control characters in log messages.

A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where sudo improperly escapes terminal control characters during logging operations. As sudo's log messages may contain user-controlled strings, this may allow an attacker to inject terminal control commands, leading to a leak of restricted information.

USN-6005-1 fixed vulnerabilities in Sudo. This update provides the corresponding updates for Ubuntu 16.04 LTS. Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly escaped control characters in log messages and sudoreplay output. An attacker could possibly use these issues to inject terminal control characters that alter output when being viewed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-16 CVE Reserved
2023-03-16 CVE Published
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-116: Improper Encoding or Escaping of Output
CWE-117: Improper Output Neutralization for Logs

CAPEC

References (7)

URL	Tag	Source
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13	Release Notes
https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html	Mailing List
https://security.netapp.com/advisory/ntap-20230420-0002	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca	2024-02-03

URL	Date	SRC
https://security.gentoo.org/glsa/202309-12	2024-02-03
https://access.redhat.com/security/cve/CVE-2023-28486	2024-03-19
https://bugzilla.redhat.com/show_bug.cgi?id=2179272	2024-03-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				< 1.9.13 Search vendor "Sudo Project" for product "Sudo" and version " < 1.9.13"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected