CVE-2022-43995
published 2022-11-02CVE-2022-43995: Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a…
high7.1CVSS 3.1
AVLACLPRLUINSUCHINAH
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sudo | < sudo 1.9.12p1-1 (bookworm) | sudo 1.9.12p1-1 (bookworm) |
| msrc | cbl2_sudo_1.9.12p1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_sudo_1.9.12p1-1_on_cbl_mariner_1.0 | — | — |
| sudo_project | sudo | — | — |
| sudo_project | sudo | >= 0 < 1.9.12p1-1 | 1.9.12p1-1 |
| sudo_project | sudo | >= 0 < 1.9.12p1-1 | 1.9.12p1-1 |
| sudo_project | sudo | >= 0 < 1.9.12p1-1 | 1.9.12p1-1 |
| sudo_project | sudo | >= 1.8.0 < 1.9.12 | 1.9.12 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
osv7.1HIGH