ghsa-q428-6v73-fc4q
Vulnerability from github
Published
2025-11-13 15:36
Modified
2025-11-13 15:36
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Summary
sudo-rs doesn't record authenticating user properly in timestamp
Details

Summary

When Defaults targetpw (or Defaults rootpw) is enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later sudo invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it.

Impact

A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts.

A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of sudo), effectively negating the intended behaviour of the targetpw or rootpw options.

Example

With this in /etc/sudoers: Defaults targetpw user ALL=(ALL:ALL) ALL First run: user@machine$ sudo -g root whoami [sudo: authenticate] Password: <password for user> user Then run: user@machine$ sudo -u root whoami root

Affected versions

sudo-rs prior to 0.2.5 are not affected, since they do not offer Defaults targetpw or Defaults rootpw.

Credits

This issue was discovered and reported by @Pingasmaster.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "sudo-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.5"
            },
            {
              "fixed": "0.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T15:36:03Z",
    "nvd_published_at": "2025-11-12T22:15:50Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen `Defaults targetpw` (or `Defaults rootpw`) is enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. `sudo-rs` prior to 0.2.10 incorrectly recorded the invoking user\u2019s UID instead of the authenticated-as user\u0027s UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it.\n\n### Impact\nA highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don\u0027t know the password for those accounts.\n\nA common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options.\n\n### Example\n\nWith this in /etc/sudoers:\n```\nDefaults targetpw\nuser ALL=(ALL:ALL) ALL\n```\nFirst run:\n```\nuser@machine$ sudo -g root whoami\n[sudo: authenticate] Password: \u003cpassword for user\u003e\nuser\n```\nThen run:\n```\nuser@machine$ sudo -u root whoami\nroot\n```\n\n### Affected versions\n\nsudo-rs prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`.\n\n### Credits\n\nThis issue was discovered and reported by @Pingasmaster.",
  "id": "GHSA-q428-6v73-fc4q",
  "modified": "2025-11-13T15:36:03Z",
  "published": "2025-11-13T15:36:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/commit/8423fd986c3fa58b357f238c0db5e54baca5255d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trifectatechfoundation/sudo-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sudo-rs doesn\u0027t record authenticating user properly in timestamp"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.