CVE-2009-0034 — Incorrect Authorization in Sudo

CWE-863 — Incorrect Authorization10 documents8 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 84.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sudo Project Sudo Gratisoft Sudo Vmware ESX

Timeline

PublishedJan 30

Latest updateMay 2

Description

parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Debiansudo_project/sudo< 1.6.9p17-2+3

▶NVDgratisoft/sudo1.6.9

▶NVDvmware/esx4.0

🔴Vulnerability Details

GHSA

GHSA-4x95-346p-g442: parse↗2022-05-02

▶

OSV

CVE-2009-0034: parse↗2009-01-30

▶

CVEList

CVE-2009-0034: parse↗2009-01-30

▶

📋Vendor Advisories

Red Hat

sudo in Fedora vulnerable to CVE-2009-0034 again due to improper patch rediff↗2011-01-14

▶

Ubuntu

sudo vulnerability↗2009-02-17

▶

Red Hat

sudo: incorrect handling of groups in Runas_User↗2009-01-23

▶

Debian

CVE-2009-0034: sudo - parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system g...↗2009

▶

💬Community

Bugzilla

CVE-2011-0008 sudo in Fedora vulnerable to CVE-2009-0034 again due to improper patch rediff↗2011-01-11

▶

Bugzilla

CVE-2009-0034 sudo: incorrect handling of groups in Runas_User↗2009-01-27

▶