ID |
CVE-2019-19232
|
Summary |
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions |
References |
|
Vulnerable Configurations |
|
CVSS |
Base: | 5.0 (as of 21-03-2024 - 02:33) |
Impact: | |
Exploitability: | |
|
CWE |
NVD-CWE-noinfo |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
LOW |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
NONE |
PARTIAL |
NONE |
|
cvss-vector
via4
|
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
redhat
via4
|
advisories | bugzilla | id | 1796518 | title | [RFE] add optional check for the target user shell |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 8 is installed | oval | oval:com.redhat.rhba:tst:20193384074 |
OR | AND | comment | sudo is earlier than 0:1.8.29-5.el8 | oval | oval:com.redhat.rhsa:tst:20201804001 |
comment | sudo is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20130363002 |
|
AND | comment | sudo-debugsource is earlier than 0:1.8.29-5.el8 | oval | oval:com.redhat.rhsa:tst:20201804003 |
comment | sudo-debugsource is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhsa:tst:20193694004 |
|
|
|
|
| rhsa | id | RHSA-2020:1804 | released | 2020-04-28 | severity | Moderate | title | RHSA-2020:1804: sudo security, bug fix, and enhancement update (Moderate) |
|
| rpms | - sudo-0:1.8.29-5.el8
- sudo-debuginfo-0:1.8.29-5.el8
- sudo-debugsource-0:1.8.29-5.el8
|
|
refmap
via4
|
confirm | | fedora | - FEDORA-2020-7c1b270959
- FEDORA-2020-8b563bc5f4
| fulldisc | 20200324 APPLE-SA-2020-03-24-2 macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra | misc | |
|
Last major update |
21-03-2024 - 02:33 |
Published |
19-12-2019 - 21:15 |
Last modified |
21-03-2024 - 02:33 |