CVE-2014-0106

CWE-20Improper Input Validation9 documents9 sources
Severity
6.6MEDIUM
EPSS
0.1%
top 83.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apple MAC OS XTodd Miller Sudo
Timeline
PublishedMar 11
Latest updateMay 17

Description

Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check environment variables for the env_delete restriction, which allows local users with sudo permissions to bypass intended command restrictions via a crafted environment variable.

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 2.7 | Impact: 10.0

Affected Packages3 packages

Debiansudo< 1.8.5p2-1+3
NVDtodd_miller/sudo58 versions+57
NVDapple/mac_os_x10.10.4

Patches

Patch: www.sudo.wsPatch: www.sudo.ws

🔴Vulnerability Details

3
GHSA
GHSA-cxvm-3g7g-7vv7: Sudo 12022-05-17
OSV
CVE-2014-0106: Sudo 12014-03-11
CVEList
CVE-2014-0106: Sudo 12014-03-11

📋Vendor Advisories

4
Ubuntu
Sudo vulnerabilities2014-03-13
Red Hat
sudo: certain environment variables not sanitized when env_reset is disabled2014-03-06
Debian
CVE-2014-0106: sudo - Sudo 1.6.9 before 1.8.5, when env_reset is disabled, does not properly check env...2014
Apple
CVE-2014-0106: OS X Yosemite v10.10.5 and Security Update 2015-006

💬Community

1
Bugzilla
CVE-2014-0106 sudo: certain environment variables not sanitized when env_reset is disabled2014-03-03