Array Out-of-Bounds Vulnerability in Sudo by Sudo Project
CVE-2022-43995

7.1HIGH

Key Information:

Vendor: Sudo Project
Status: Sudo
Vendor: CVE Published:; 2 November 2022

Summary

An array-out-of-bounds error exists in Sudo versions 1.8.0 through 1.9.12 when using the crypt() password backend. This vulnerability can be exploited by any local user with Sudo access by entering a password of seven characters or fewer, leading to a potential heap-based buffer over-read. The effects of this vulnerability may vary across different system libraries, compiler configurations, and processor architectures. Organizations using affected versions should assess their configurations and apply necessary updates to mitigate risk.

References

https://www.sudo.ws/security/advisories/

https://github.com/sudo-project/sudo/commit/bd209b9f16fcd...

https://news.ycombinator.com/item?id=33465707

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 2, 2022
Vulnerability Reserved
Oct 28, 2022