Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-22809

Опубликовано: 18 янв. 2023
Источник: redhat
CVSS3: 7.8
EPSS Средний

Описание

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit.

Меры по смягчению последствий

It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file.

Defaults!sudoedit env_delete+="SUDO_EDITOR VISUAL EDITOR"

To restrict the editor when editing specific files, a Cmnd_Alias can be used, for example:

Cmnd_Alias EDIT_MOTD = sudoedit /etc/motd Defaults!EDIT_MOTD env_delete+="SUDO_EDITOR VISUAL EDITOR" user ALL = EDIT_MOTD

But if possible please update the affected package as soon as possible.

Ссылки на источники

Дополнительная информация

Статус:

Important
https://bugzilla.redhat.com/show_bug.cgi?id=2161142sudo: arbitrary file write with privileges of the RunAs user

EPSS

Процентиль: 97%
0.43244
Средний

7.8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-22809

CVSS3: 7.8
ubuntu
больше 2 лет назад

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

nvd логотип

CVE-2023-22809

CVSS3: 7.8
nvd
больше 2 лет назад

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

debian логотип

CVE-2023-22809

CVSS3: 7.8
debian
больше 2 лет назад

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extr ...

suse-cvrf логотип

SUSE-SU-2023:0117-1

suse-cvrf
больше 2 лет назад

Security update for sudo

suse-cvrf логотип

SUSE-SU-2023:0116-1

suse-cvrf
больше 2 лет назад

Security update for sudo

EPSS

Процентиль: 97%
0.43244
Средний

7.8 High

CVSS3