CVE-2025-64517

MEDIUM4.4EPSS 0.02%

sudo-rs doesn't record authenticating user properly in timestamp

發布日:2025/11/13修改日:2025/11/13
也稱為:GHSA-q428-6v73-fc4q

描述

### Summary When `Defaults targetpw` (or `Defaults rootpw`) is enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. `sudo-rs` prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. ### Impact A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectively negating the intended behaviour of the `targetpw` or `rootpw` options. ### Example With this in /etc/sudoers: ``` Defaults targetpw user ALL=(ALL:ALL) ALL ``` First run: ``` user@machine$ sudo -g root whoami [sudo: authenticate] Password: <password for user> user ``` Then run: ``` user@machine$ sudo -u root whoami root ``` ### Affected versions sudo-rs prior to 0.2.5 are not affected, since they do not offer `Defaults targetpw` or `Defaults rootpw`. ### Credits This issue was discovered and reported by @Pingasmaster.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM4.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

參考連結(6)