CVE-2019-14287: sudo: can bypass certain policy blacklists
Bug #1852825 reported by
Ghada Khalil
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Robin Lu |
Bug Description
CVE-2019-14287
status : fixed
cvss2Score : 9
Attack Vector: N
Access Complexity : L
Authentication: S
Availability Impact :C
Affected packages:
['sudo']
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
https:/
CVE References
Changed in starlingx: | |
assignee: | Cindy Xie (xxie1) → Lin Shuicheng (shuicheng) |
Changed in starlingx: | |
assignee: | Lin Shuicheng (shuicheng) → Robin Lu (robinlu) |
information type: | Private Security → Public Security |
Changed in starlingx: | |
status: | Triaged → In Progress |
tags: | added: in-r-stx20 |
To post a comment you must log in.
This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.