CVE-2023-22809

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
sudo_projectsudo
1.8.0 ≤
𝑥
< 1.9.12
sudo_projectsudo
1.9.12
sudo_projectsudo
1.9.12:p1
debiandebian_linux
10.0
debiandebian_linux
11.0
applemacos
𝑥
< 13.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
sudo
bookworm
1.9.13p3-1+deb12u1
fixed
bullseye
1.9.5p2-3+deb11u1
fixed
bullseye (security)
1.9.5p2-3+deb11u1
fixed
sid
1.9.16p1-1
fixed
trixie
1.9.16p1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
sudo
bionic
Fixed 1.8.21p2-3ubuntu1.5
released
focal
Fixed 1.8.31-1ubuntu1.4
released
jammy
Fixed 1.9.9-1ubuntu2.2
released
kinetic
Fixed 1.9.11p3-1ubuntu1.1
released
lunar
Fixed 1.9.11p3-1ubuntu3
released
trusty
Fixed 1.8.9p5-1ubuntu1.5+esm7
released
xenial
Fixed 1.8.16-0ubuntu1.10+esm1
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
sudo
suse enterprise desktop 15 SP4
1.9.9-150400.4.12.1
fixed
suse enterprise sap 15 SP1
1.8.27-150000.4.38.1
fixed
suse enterprise sap 15 SP2
1.8.27-150000.4.38.1
fixed
suse enterprise sap 15 SP4
1.9.9-150400.4.12.1
fixed
suse enterprise server 15 SP1
1.8.27-150000.4.38.1
fixed
suse enterprise server 15 SP2
1.8.27-150000.4.38.1
fixed
suse enterprise server 15 SP4
1.9.9-150400.4.12.1
fixed
sudo-devel
suse enterprise desktop 15 SP4
1.9.9-150400.4.12.1
fixed
suse enterprise sap 15 SP1
1.8.27-150000.4.38.1
fixed
suse enterprise sap 15 SP2
1.8.27-150000.4.38.1
fixed
suse enterprise sap 15 SP4
1.9.9-150400.4.12.1
fixed
suse enterprise server 15 SP1
1.8.27-150000.4.38.1
fixed
suse enterprise server 15 SP2
1.8.27-150000.4.38.1
fixed
suse enterprise server 15 SP4
1.9.9-150400.4.12.1
fixed
sudo-plugin-python
suse enterprise desktop 15 SP4
1.9.9-150400.4.12.1
fixed
suse enterprise sap 15 SP4
1.9.9-150400.4.12.1
fixed
suse enterprise server 15 SP4
1.9.9-150400.4.12.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
sudo
RHEL 7
0:1.8.23-10.el7_9.3
fixed
RHEL 9
0:1.9.5p2-7.el9_1.1
fixed
sudo-devel
RHEL 7
0:1.8.23-10.el7_9.3
fixed
sudo-python-plugin
RHEL 9
0:1.9.5p2-7.el9_1.1
fixed
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html
http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html
http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html
http://seclists.org/fulldisclosure/2023/Aug/21
http://www.openwall.com/lists/oss-security/2023/01/19/1
https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/
https://security.gentoo.org/glsa/202305-12
https://security.netapp.com/advisory/ntap-20230127-0015/
https://support.apple.com/kb/HT213758
https://www.debian.org/security/2023/dsa-5321
https://www.sudo.ws/security/advisories/sudoedit_any/
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html
http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html
http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html
http://seclists.org/fulldisclosure/2023/Aug/21
http://www.openwall.com/lists/oss-security/2023/01/19/1
https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/
https://security.gentoo.org/glsa/202305-12
https://security.netapp.com/advisory/ntap-20230127-0015/
https://support.apple.com/kb/HT213758
https://www.debian.org/security/2023/dsa-5321
https://www.sudo.ws/security/advisories/sudoedit_any/
https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf