Local Privilege Escalation Vulnerability in Sudo Affects SELinux Support
CVE-2021-23240

7.8HIGH

Key Information:

Vendor

Sudo Project

Status
Sudo
Vendor
CVE Published:
12 January 2021

What is CVE-2021-23240?

A vulnerability in the Sudo command prior to version 1.9.5 allows local unprivileged users to escalate privileges by exploiting a flaw in the selinux_edit_copy_tfiles function. If SELinux is running in permissive mode, attackers can replace temporary files with symbolic links pointing to arbitrary file targets, leading to unintended file ownership changes. Systems without SELinux are not susceptible to this issue.

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-23240
x_refsource_MISC
https://www.sudo.ws/stable.html#1.9.5
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.