CVE-2023-22809

Name
CVE-2023-22809
Description
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
CONFIRM https://www.sudo.ws/security/advisories/sudoedit_any/
MLIST https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html
DEBIAN https://www.debian.org/security/2023/dsa-5321
MLIST http://www.openwall.com/lists/oss-security/2023/01/19/1
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/
Third Party Advisory https://security.netapp.com/advisory/ntap-20230127-0015/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/
MISC http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html
GENTOO https://security.gentoo.org/glsa/202305-12
MISC http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html
FULLDISC http://seclists.org/fulldisclosure/2023/Aug/21
MISC http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html
CONFIRM https://support.apple.com/kb/HT213758
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:sudo_project:sudo:1.9.12:-:*:*:*:*:*:* sudo == None == 1.9.12
cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:* sudo >= 1.8.0 < 1.9.12

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
sudo edge-main 1.9.5p2-r0 None possibly vulnerable
sudo edge-main 1.9.5-r0 None possibly vulnerable
sudo edge-main 1.8.31-r0 None possibly vulnerable
sudo edge-main 1.8.28-r0 None possibly vulnerable
sudo edge-main 1.8.20_p2-r0 None possibly vulnerable
sudo edge-community 1.9.12_p2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
sudo edge-community 1.9.5p2-r0 None possibly vulnerable
sudo edge-community 1.9.5_p2-r0 None possibly vulnerable
sudo edge-community 1.9.5-r0 None possibly vulnerable
sudo edge-community 1.8.31-r0 None possibly vulnerable
sudo edge-community 1.8.28-r0 None possibly vulnerable
sudo edge-community 1.8.20_p2-r0 None possibly vulnerable
sudo 3.22-community 1.9.12_p2-r0 None fixed
sudo 3.22-community 1.9.5_p2-r0 None possibly vulnerable
sudo 3.22-community 1.9.5-r0 None possibly vulnerable
sudo 3.22-community 1.8.31-r0 None possibly vulnerable
sudo 3.22-community 1.8.28-r0 None possibly vulnerable
sudo 3.22-community 1.8.20_p2-r0 None possibly vulnerable
sudo 3.21-community 1.9.12_p2-r0 None fixed
sudo 3.20-community 1.9.12_p2-r0 None fixed
sudo 3.19-community 1.9.12_p2-r0 None fixed
sudo 3.18-community 1.9.12_p2-r0 None fixed
sudo 3.17-community 1.9.12_p2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed