CVE-2023-28486 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Affected Products (NVD)

Vendor	Product	Version
sudo_project	sudo	𝑥 < 1.9.13
netapp	active_iq_unified_manager	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

sudo

bookworm	1.9.13p3-1+deb12u1 fixed
bullseye	no-dsa
bullseye (security)	vulnerable
sid	1.9.16p1-1 fixed
trixie	1.9.16p1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

sudo

bionic	Fixed 1.8.21p2-3ubuntu1.6 released
focal	Fixed 1.8.31-1ubuntu1.5 released
jammy	Fixed 1.9.9-1ubuntu2.4 released
kinetic	Fixed 1.9.11p3-1ubuntu1.3 released
lunar	Fixed 1.9.13p1-1ubuntu2 released
mantic	Fixed 1.9.13p1-1ubuntu2 released
noble	Fixed 1.9.13p1-1ubuntu2 released
oracular	Fixed 1.9.13p1-1ubuntu2 released
trusty	ignored
xenial	Fixed 1.8.16-0ubuntu1.10+esm2 released

Common Weakness Enumeration

CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca

https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13

https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html

https://security.gentoo.org/glsa/202309-12

https://security.netapp.com/advisory/ntap-20230420-0002/

https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca

https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13

https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html

https://security.gentoo.org/glsa/202309-12

https://security.netapp.com/advisory/ntap-20230420-0002/