CERTA-2011-AVI-013
Vulnerability from certfr_avis

Une vulnérabilité dans la commande sudo permet à un utilisateur malveillant d'élever ses privilèges.

Description

La commande sudo a été enrichie d'une fonction de changement de groupe lors du passage à la version 1.7.0. Dans certaines configurations, un utilisateur malveillant peut acquérir sans vérification les droits assignés à un groupe dont il n'est pas membre.

Solution

La version 1.7.4p5 remédie à ce problème.

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Sudo Sudo sudo 1.7.0 à 1.7.4p4.
References

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "sudo 1.7.0 \u00e0 1.7.4p4.",
      "product": {
        "name": "Sudo",
        "vendor": {
          "name": "Sudo",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Description\n\nLa commande sudo a \u00e9t\u00e9 enrichie d\u0027une fonction de changement de groupe\nlors du passage \u00e0 la version 1.7.0. Dans certaines configurations, un\nutilisateur malveillant peut acqu\u00e9rir sans v\u00e9rification les droits\nassign\u00e9s \u00e0 un groupe dont il n\u0027est pas membre.\n\n## Solution\n\nLa version 1.7.4p5 rem\u00e9die \u00e0 ce probl\u00e8me.\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-0010",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-0010"
    }
  ],
  "initial_release_date": "2011-01-14T00:00:00",
  "last_revision_date": "2012-03-07T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Gentoo GLSA 201203-06 du 06 mars 2012    :",
      "url": "http://www.gentoo.org/security/en/glsa/glsa-201203-06.xml"
    }
  ],
  "reference": "CERTA-2011-AVI-013",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-01-14T00:00:00.000000"
    },
    {
      "description": "ajout du bulletinde s\u00e9curit\u00e9 Gentoo.",
      "revision_date": "2012-03-07T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans la commande \u003cspan class=\"textit\"\u003esudo\u003c/span\u003e\npermet \u00e0 un utilisateur malveillant d\u0027\u00e9lever ses privil\u00e8ges.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans sudo",
  "vendor_advisories": [
    {
      "published_at": "2011-01-12",
      "title": "Bulletin de s\u00e9curit\u00e9 sudo",
      "url": "http://www.sudo.ws/sudo/alerts/runas_group_pw.html"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.