PT-2026-55478 · Pypi · Linuxfabrik-Lib

Publicado

2026-07-02

·

Atualizado

2026-07-02

·

CVE-2026-52817

CVSS v4.0

7.0

Alta

VetorAV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Summary

In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user:

PoC

By choosing a particular argument, you can get (as a nagios user) a root shell:
sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh"
Since the nagious user can use sudo to run apt-get as root, the resulting shell is also running as root.

Impact

The vulnerability is a local privilege escalation, impacting users who use the provided sudoers file. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).

Fix

Since only one place where apt-get is currently used (in deb-updates) was found, it should be enough to allow only the specific arguments used there.
Here an example how the line in the sudoers file could look like:
          /usr/lib64/nagios/plugins/strongswan-connections,
          /usr/lib64/nagios/plugins/systemd-unit,
          /usr/bin/apt-get update --quiet 2

Correção

Argument Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-52817
GHSA-8W6W-23MQ-H8RG

Produtos afetados

Linuxfabrik-Lib