CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS
Percentile
5.1%
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a
plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in
a heap-based buffer over-read. This can be triggered by arbitrary local
users with access to Sudo by entering a password of seven characters or
fewer. The impact could vary depending on the system libraries, compiler,
and processor architecture.
Author | Note |
---|---|
mdeslaur | sudo packages in Ubuntu are compiled with PAM support, so the vulnerable code isn’t part of the binaries. |