CVE-2021-23239

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Sudo versions prior to 1.9.5

Description The issue is related to the sudoedit personality of Sudo, which may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a race condition in replacing a user-controlled directory by a symlink to an arbitrary path. This is due to incorrect handling of symbolic links before accessing a file, potentially allowing an attacker to access confidential data.

Recommendations For versions prior to 1.9.5, update to version 1.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the sudoedit personality until a patch is available.

Exploit

Fix

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

ALT-PU-2021-1164

ALT-PU-2021-1174

ALT-PU-2021-1184

BDU:2022-05782

CESA-2021_1723

CVE-2021-23239

DLA-3181-1

ELSA-2021-1723

MGASA-2021-0042

OESA-2021-1002

OPENSUSE-SU-2021:0169-1

OPENSUSE-SU-2021:0170-1

OPENSUSE-SU-2021_0169-1

OPENSUSE-SU-2021_0170-1

OPENSUSE-SU-2024:11413-1

RHSA-2021:1723

RHSA-2021_1723

RLSA-2021:1723

RLSA-2021_1723

SUSE-SU-2021:0225-1

SUSE-SU-2021:0226-1

SUSE-SU-2021:0227-1

SUSE-SU-2021:0232-1

SUSE-SU-2021_0225-1

SUSE-SU-2021_0226-1

SUSE-SU-2021_0227-1

SUSE-SU-2021_0232-1

USN-4705-1

Affected Products

Alt Linux

Astra Linux

Centos

Linuxmint

Red Hat

Rocky Linux

Sudo

Suse

Ubuntu

CVE-2021-23239

Weakness Enumeration

Related Identifiers

Affected Products

References · 107