CVE-2019-19232 — Improper Access Control in Sudo

CWE-284 — Improper Access Control8 documents7 sources

Severity

7.5HIGHNVD

EPSS

2.9%

top 13.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sudo Project Sudo Sudo

Timeline

PublishedDec 19

Latest updateMay 24

Description

In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debiansudo_project/sudo< 1.8.31-1+3

▶NVDsudo/sudo1.8.29

🔴Vulnerability Details

GHSA

GHSA-g292-5fg6-fchh: In Sudo through 1↗2022-05-24

▶

CVEList

CVE-2019-19232: In Sudo through 1↗2019-12-19

▶

OSV

CVE-2019-19232: In Sudo through 1↗2019-12-19

▶

📋Vendor Advisories

Red Hat

sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user↗2019-12-19

▶

Debian

CVE-2019-19232: sudo - In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account ca...↗2019

▶

💬Community

Bugzilla

CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user↗2019-12-27

▶

Bugzilla

CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user [fedora-all]↗2019-12-27

▶