Input Validation Flaw in Sudo Affects Todd Miller's Software
CVE-2017-1000368

8.2HIGH

Key Information:

Vendor

Sudo Project

Status
Sudo
Vendor
CVE Published:
5 June 2017

What is CVE-2017-1000368?

An input validation flaw in the get_process_ttyname() function of Todd Miller's sudo, version 1.8.20p1 and earlier, permits embedded newlines, leading to potential information disclosure and unauthorized command execution. This vulnerability allows an attacker to exploit processes, compromising the security integrity of affected systems and applications, if not addressed promptly.

References

https://www.sudo.ws/alerts/linux_tty.html
x_refsource_CONFIRM
https://security.gentoo.org/glsa/201710-04
vendor-advisoryx_refsource_GENTOO
http://www.securityfocus.com/bid/98838
vdb-entryx_refsource_BID

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.