CVE-2017-1000368

CWE-20 — Improper Input Validation11 documents8 sources

Severity

8.2HIGH

EPSS

0.2%

top 62.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sudo Project Sudo

Timeline

PublishedJun 5

Latest updateMay 14

Description

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages3 packages

▶Debiansudo< 1.8.20p1-1.1+3

▶Ubuntusudo< 1.8.9p5-1ubuntu1.5+esm1

▶NVDsudo_project/sudo1.8.20+1

🔴Vulnerability Details

GHSA

GHSA-v7hw-ff58-vxfm: Todd Miller's sudo version 1↗2022-05-14

▶

OSV

sudo vulnerability↗2019-05-29

▶

OSV

sudo vulnerabilities↗2019-05-06

▶

CVEList

CVE-2017-1000368: Todd Miller's sudo version 1↗2017-06-05

▶

OSV

CVE-2017-1000368: Todd Miller's sudo version 1↗2017-06-05

▶

📋Vendor Advisories

Ubuntu

Sudo vulnerability↗2019-05-29

▶

Ubuntu

Sudo vulnerabilities↗2019-05-06

▶

Red Hat

sudo: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)↗2017-06-02

▶

Debian

CVE-2017-1000368: sudo - Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input valida...↗2017

▶

💬Community

Bugzilla

CVE-2017-1000368 sudo: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)↗2017-06-06

▶