Sudoedit Feature Mishandles User-Provided Environment Variables, Leading to Privilege Escalation

CVE-2023-22809

Summary

The first article discusses a vulnerability in the Sudo project that mishandles user-provided environment variables, leading to privilege escalation. This affects versions 1.8.0 through 1.9.12.p1 of Sudo, and it has been exploited in the wild. In the second article, a set of memory corruption vulnerabilities in the ncurses library could allow attackers to elevate privileges and run code in the targeted program's context or perform other malicious actions. Microsoft discovered these vulnerabilities and worked with relevant maintainers to deploy fixes and encourage users of ncurses to update their instances and systems.

News Articles

Palo Alto Networks Security Advisories

CVE-2023-22809

CVE-2023-22809 Impact of Sudo Vulnerability CVE-2023-22809

Palo Alto Networks Security Advisory: CVE-2023-22809 Impact of Sudo Vulnerability CVE-2023-22809 The Palo Alto Networks Product Security Assurance team has evaluated the sudo software vulnerability CVE-2023-22809 and has determined that the following Palo Alto Networks products do not expose the sud...

7 months ago

DEV Community

CVE-2023-22809

nabbisen — DEV Community Profile

Founder of Scqr Inc. (scqr.net) Apps dev and c/s monk. IT ｽﾄﾗﾃｼﾞｽﾄ. Interested: Social relationships. OpenBSD/Rust etc.

7 months ago

Microsoft

CVE-2023-29491CVE-2023-22809

Uncursing the ncurses: Memory corruption vulnerabilities found in library | Microsoft Security Blog

A set of memory corruption vulnerabilities in the ncurses library could have allowed attackers to chain the vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions.

1 year ago

References