Bug 2161142 (CVE-2023-22809) - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
Summary: CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-22809
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2161216 2161217 2161218 2161219 2161220 2161221 2161222 2161223 2161224 2161225 2161268 2162041 2162042 2164759 2186685 2186686 2186687
Blocks: 2160742
TreeView+ depends on / blocked
 
Reported: 2023-01-16 05:26 UTC by Sandipan Roy
Modified: 2023-05-23 14:00 UTC (History)
13 users (show)

Fixed In Version: sudo 1.9.12p2
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in sudo. Exposure in how sudoedit handles user-provided environment variables leads to arbitrary file writing with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit.
Clone Of:
Environment:
Last Closed: 2023-02-12 09:39:30 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:0297 0 None None None 2023-01-23 10:37:09 UTC
Red Hat Product Errata RHBA-2023:0473 0 None None None 2023-01-26 16:01:32 UTC
Red Hat Product Errata RHBA-2023:0486 0 None None None 2023-01-30 01:30:18 UTC
Red Hat Product Errata RHBA-2023:0487 0 None None None 2023-01-30 14:20:18 UTC
Red Hat Product Errata RHBA-2023:0537 0 None None None 2023-01-30 19:01:26 UTC
Red Hat Product Errata RHBA-2023:0581 0 None None None 2023-02-06 01:08:41 UTC
Red Hat Product Errata RHBA-2023:1080 0 None None None 2023-03-06 16:26:45 UTC
Red Hat Product Errata RHSA-2023:0280 0 None None None 2023-01-23 08:56:47 UTC
Red Hat Product Errata RHSA-2023:0281 0 None None None 2023-01-23 09:17:42 UTC
Red Hat Product Errata RHSA-2023:0282 0 None None None 2023-01-23 08:57:51 UTC
Red Hat Product Errata RHSA-2023:0283 0 None None None 2023-01-23 09:16:36 UTC
Red Hat Product Errata RHSA-2023:0284 0 None None None 2023-01-23 09:18:12 UTC
Red Hat Product Errata RHSA-2023:0287 0 None None None 2023-01-23 09:19:58 UTC
Red Hat Product Errata RHSA-2023:0291 0 None None None 2023-01-23 09:22:33 UTC
Red Hat Product Errata RHSA-2023:0292 0 None None None 2023-01-23 09:19:16 UTC
Red Hat Product Errata RHSA-2023:0293 0 None None None 2023-01-23 09:20:15 UTC
Red Hat Product Errata RHSA-2023:0859 0 None None None 2023-02-21 10:40:34 UTC
Red Hat Product Errata RHSA-2023:3262 0 None None None 2023-05-23 09:15:51 UTC
Red Hat Product Errata RHSA-2023:3264 0 None None None 2023-05-23 09:15:25 UTC
Red Hat Product Errata RHSA-2023:3276 0 None None None 2023-05-23 14:00:33 UTC

Description Sandipan Roy 2023-01-16 05:26:29 UTC
Vulnerability in the way sudoedit handles user-provided environment variables. This leads to arbitrary file write with privileges of the RunAs user (usually root). The prerequisite for exploitation is that the current user must be authorized by the sudoers policy to edit a file using sudoedit. This issue affects all Sudo versions <= 1.9.12p1 and was assigned CVE-2023-22809.

Comment 1 Radovan Sroka 2023-01-16 09:25:59 UTC
Do we have a reproducer?

Comment 6 Zack Miele 2023-01-18 16:34:30 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-36 [bug 2162041]
Affects: fedora-37 [bug 2162042]

Comment 7 errata-xmlrpc 2023-01-23 08:56:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0280 https://access.redhat.com/errata/RHSA-2023:0280

Comment 8 errata-xmlrpc 2023-01-23 08:57:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0282 https://access.redhat.com/errata/RHSA-2023:0282

Comment 9 errata-xmlrpc 2023-01-23 09:16:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0283 https://access.redhat.com/errata/RHSA-2023:0283

Comment 10 errata-xmlrpc 2023-01-23 09:17:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0281 https://access.redhat.com/errata/RHSA-2023:0281

Comment 11 errata-xmlrpc 2023-01-23 09:18:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0284 https://access.redhat.com/errata/RHSA-2023:0284

Comment 12 errata-xmlrpc 2023-01-23 09:19:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0292 https://access.redhat.com/errata/RHSA-2023:0292

Comment 13 errata-xmlrpc 2023-01-23 09:19:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2023:0287 https://access.redhat.com/errata/RHSA-2023:0287

Comment 14 errata-xmlrpc 2023-01-23 09:20:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0293 https://access.redhat.com/errata/RHSA-2023:0293

Comment 15 errata-xmlrpc 2023-01-23 09:22:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0291 https://access.redhat.com/errata/RHSA-2023:0291

Comment 18 Product Security DevOps Team 2023-01-28 17:22:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-22809

Comment 30 Product Security DevOps Team 2023-02-12 09:39:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-22809

Comment 31 errata-xmlrpc 2023-02-21 10:40:32 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:0859 https://access.redhat.com/errata/RHSA-2023:0859

Comment 33 errata-xmlrpc 2023-05-23 09:15:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2023:3264 https://access.redhat.com/errata/RHSA-2023:3264

Comment 34 errata-xmlrpc 2023-05-23 09:15:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:3262 https://access.redhat.com/errata/RHSA-2023:3262

Comment 35 errata-xmlrpc 2023-05-23 14:00:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2023:3276 https://access.redhat.com/errata/RHSA-2023:3276


Note You need to log in before you can comment on or make changes to this bug.