CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
10.1%
Todd Miller reports:
When sudo performs its command matching, there is a special case
for pseudo-commands in the sudoers file (currently, the only
pseudo-command is sudoedit). Unlike a regular command,
pseudo-commands do not begin with a slash (β/β). The flaw is that
sudoβs the matching code would only check against the list of
pseudo-commands if the user-specified command also contained no
slashes. As a result, if the user ran βsudo ./sudoeditβ the normal
matching code path was followed, which uses stat(2) to verify that
the user-specified command matches the one in sudoers. In this
case, it would compare the β./sudoeditβ specified by the user with
βsudoeditβ from the sudoers file, resulting in a positive
match.