CVE-2019-14287
HIGH8.8EPSS 85.8%sudo - security update
發布日:2019/10/17修改日:2025/11/19
也稱為:ALPINE-CVE-2019-14287DEBIAN-CVE-2019-14287
描述
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
受影響套件(4)
- Alpine/sudofrom 0, < 1.8.27-r1
- Debian/sudofrom 0, < 1.8.27-1.1
- Debian/sudofrom 0, < 1.8.10p3-1+deb8u6
- Debian/sudofrom 0, < 1.8.19p1-2.1+deb9u1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |