CVE-2019-19232

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Sudo versions 1.8.29 and earlier

Description The issue is related to the sudoer account with Runas ALL privileges, allowing an attacker to impersonate a nonexistent user by invoking sudo with a numeric uid not associated with any user. This behavior was considered an intentional feature by the software maintainer, but it surprised some users. As a result, sudo 1.8.30 introduced an option to enable or disable this behavior, with the default being disabled.

Recommendations For Sudo versions 1.8.29 and earlier, consider updating to version 1.8.30 or later, which introduces an option to enable or disable the behavior of running commands via sudo as a user not present in the local password database. As a temporary workaround, restrict access to the Runas ALL sudoer account to minimize the risk of exploitation.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

ALT-PU-2020-2707

ALT-PU-2020-2731

ALT-PU-2021-1164

ALT-PU-2021-1174

ALT-PU-2021-1184

BDU:2020-00857

CESA-2020_1804

CVE-2019-19232

MGASA-2020-0246

RHSA-2020:1804

RHSA-2020_1804

Affected Products

Alt Linux

Astra Linux

Centos

Red Hat

Sudo

CVE-2019-19232

Weakness Enumeration

Related Identifiers

Affected Products

References · 39