Bug 2179272 (CVE-2023-28486) - CVE-2023-28486 sudo: Sudo does not escape control characters in log messages
Summary: CVE-2023-28486 sudo: Sudo does not escape control characters in log messages
Status: NEW
Alias: CVE-2023-28486
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: Red Hat2182148 Red Hat2182149 2179274 2179275
Blocks: Embargoed2179004
TreeView+ depends on / blocked
Reported: 2023-03-17 07:47 UTC by Sandipan Roy
Modified: 2023-03-27 17:40 UTC (History)
2 users (show)

Fixed In Version: sudo-1.9.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where sudo improperly escapes terminal control characters during logging operations. As sudo's log messages may contain user-controlled strings, this may allow an attacker to inject terminal control commands, leading to a leak of restricted information.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-03-17 07:47:36 UTC
Sudo before 1.9.13 does not escape control characters in log messages.


Comment 1 Sandipan Roy 2023-03-17 07:51:05 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-36 [bug 2179274]
Affects: fedora-37 [bug 2179275]

Note You need to log in before you can comment on or make changes to this bug.