{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-22809", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T10:20:30.856Z", "dateReserved": "2023-01-06T00:00:00", "datePublished": "2023-01-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-09-06T07:06:47.365601"}, "descriptions": [{"lang": "en", "value": "In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a \"--\" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf"}, {"url": "https://www.sudo.ws/security/advisories/sudoedit_any/"}, {"name": "[debian-lts-announce] 20230118 [SECURITY] [DLA 3272-1] sudo security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html"}, {"name": "DSA-5321", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5321"}, {"name": "[oss-security] 20230119 CVE-2023-22809: Sudoedit can edit arbitrary files", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/01/19/1"}, {"name": "FEDORA-2023-9078f609e6", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/"}, {"url": "https://security.netapp.com/advisory/ntap-20230127-0015/"}, {"name": "FEDORA-2023-298c136eee", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/"}, {"url": "http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html"}, {"name": "GLSA-202305-12", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-12"}, {"url": "https://support.apple.com/kb/HT213758"}, {"url": "http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html"}, {"name": "20230817 KL-001-2023-003: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2023/Aug/21"}, {"url": "http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:30.856Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf", "tags": ["x_transferred"]}, {"url": "https://www.sudo.ws/security/advisories/sudoedit_any/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230118 [SECURITY] [DLA 3272-1] sudo security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html"}, {"name": "DSA-5321", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5321"}, {"name": "[oss-security] 20230119 CVE-2023-22809: Sudoedit can edit arbitrary files", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/01/19/1"}, {"name": "FEDORA-2023-9078f609e6", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/"}, {"url": "https://security.netapp.com/advisory/ntap-20230127-0015/", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-298c136eee", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/"}, {"url": "http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"name": "GLSA-202305-12", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-12"}, {"url": "https://support.apple.com/kb/HT213758", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"name": "20230817 KL-001-2023-003: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2023/Aug/21"}, {"url": "http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*", "matchCriteriaId": "E76D2160-BE9D-4C9E-B2AB-B52B3C84DAD7", "versionEndExcluding": "1.9.12", "versionStartIncluding": "1.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sudo_project:sudo:1.9.12:-:*:*:*:*:*:*", "matchCriteriaId": "30B5DA3F-091D-4627-A5C0-2D1487A378B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sudo_project:sudo:1.9.12:p1:*:*:*:*:*:*", "matchCriteriaId": "F30DC131-EACB-47C6-B6B7-FCB78DDBD059", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "ADD1755A-5CD2-4EED-8C6C-4729FADFA3F5", "versionEndExcluding": "13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a \"--\" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value."}, {"lang": "es", "value": "En Sudo anterior a 1.9.12p2, la funci\u00f3n sudoedit (tambi\u00e9n conocida como -e) maneja mal argumentos adicionales pasados en las variables de entorno proporcionadas por el usuario (SUDO_EDITOR, VISUAL y EDITOR), permitiendo a un atacante local agregar entradas arbitrarias a la lista de archivos para procesar. . Esto puede conducir a una escalada de privilegios. Las versiones afectadas son 1.8.0 a 1.9.12.p1. El problema existe porque un editor especificado por el usuario puede contener un argumento \"--\" que anula un mecanismo de protecci\u00f3n, por ejemplo, un valor EDITOR='vim -- /path/to/extra/file'."}], "id": "CVE-2023-22809", "lastModified": "2023-11-17T19:32:56.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-18T17:15:10.353", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Aug/21"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/01/19/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202305-12"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230127-0015/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213758"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5321"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://www.sudo.ws/security/advisories/sudoedit_any/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0287", "cpe": "cpe:/o:redhat:rhel_els:6", "package": "sudo-0:1.8.6p3-29.el6_10.7", "product_name": "Red Hat Enterprise Linux 6 Extended Lifecycle Support", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0291", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "sudo-0:1.8.23-10.el7_9.3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:3264", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "sudo-0:1.8.19p2-12.el7_4.3", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2023-05-23T00:00:00Z"}, {"advisory": "RHSA-2023:3262", "cpe": "cpe:/o:redhat:rhel_aus:7.6", "package": "sudo-0:1.8.23-3.el7_6.3", "product_name": "Red Hat Enterprise Linux 7.6 Advanced Update Support", "release_date": "2023-05-23T00:00:00Z"}, {"advisory": "RHSA-2023:3276", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "sudo-0:1.8.23-4.el7_7.4", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2023-05-23T00:00:00Z"}, {"advisory": "RHSA-2023:3276", "cpe": "cpe:/o:redhat:rhel_tus:7.7", "package": "sudo-0:1.8.23-4.el7_7.4", "product_name": "Red Hat Enterprise Linux 7.7 Telco Extended Update Support", "release_date": "2023-05-23T00:00:00Z"}, {"advisory": "RHSA-2023:3276", "cpe": "cpe:/o:redhat:rhel_e4s:7.7", "package": "sudo-0:1.8.23-4.el7_7.4", "product_name": "Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions", "release_date": "2023-05-23T00:00:00Z"}, {"advisory": "RHSA-2023:0284", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "sudo-0:1.8.29-8.el8_7.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0280", "cpe": "cpe:/o:redhat:rhel_e4s:8.1", "package": "sudo-0:1.8.25p1-8.el8_1.3", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0292", "cpe": "cpe:/o:redhat:rhel_aus:8.2", "package": "sudo-0:1.8.29-5.el8_2.2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0292", "cpe": "cpe:/o:redhat:rhel_tus:8.2", "package": "sudo-0:1.8.29-5.el8_2.2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0292", "cpe": "cpe:/o:redhat:rhel_e4s:8.2", "package": "sudo-0:1.8.29-5.el8_2.2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0293", "cpe": "cpe:/o:redhat:rhel_eus:8.4", "package": "sudo-0:1.8.29-7.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0283", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "sudo-0:1.8.29-8.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0282", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "sudo-0:1.9.5p2-7.el9_1.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0282", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "sudo-0:1.9.5p2-7.el9_1.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0281", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "sudo-0:1.9.5p2-7.el9_0.2", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-01-23T00:00:00Z"}, {"advisory": "RHSA-2023:0859", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "redhat-virtualization-host-0:4.5.3-202302150956_8.6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2023-02-21T00:00:00Z"}], "bugzilla": {"description": "sudo: arbitrary file write with privileges of the RunAs user", "id": "2161142", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161142"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "details": ["In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a \"--\" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.", "A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit."], "mitigation": {"lang": "en:us", "value": "It is possible to prevent a user-specified editor from being used by sudoedit by adding the following line to the sudoers file.\n~~~\nDefaults!sudoedit env_delete+=\"SUDO_EDITOR VISUAL EDITOR\"\n~~~\nTo restrict the editor when editing specific files, a Cmnd_Alias can be used, for example:\n~~~\nCmnd_Alias EDIT_MOTD = sudoedit /etc/motd\nDefaults!EDIT_MOTD env_delete+=\"SUDO_EDITOR VISUAL EDITOR\"\nuser ALL = EDIT_MOTD\n~~~\nBut if possible please update the affected package as soon as possible."}, "name": "CVE-2023-22809", "public_date": "2023-01-18T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-22809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-22809\nhttps://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p2\nhttps://www.sudo.ws/security/advisories/sudoedit_any/"], "threat_severity": "Important", "upstream_fix": "sudo 1.9.12p2"}