Vulnerabilities > Sudo Project
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-29 | CVE-2019-18634 | Out-of-bounds Write vulnerability in multiple products In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. | 7.8 |
| 2019-11-04 | CVE-2005-4890 | Improper Input Validation vulnerability in multiple products There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". | 7.2 |
| 2019-11-04 | CVE-2019-18684 | Race Condition vulnerability in Sudo Project Sudo Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. | 7.0 |
| 2019-10-17 | CVE-2019-14287 | Improper Handling of Exceptional Conditions vulnerability in multiple products In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. | 8.8 |
| 2018-05-29 | CVE-2016-7076 | Command Injection vulnerability in Sudo Project Sudo sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. | 7.8 |
| 2017-10-10 | CVE-2015-8239 | Race Condition vulnerability in Sudo Project Sudo The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed. | 6.9 |
| 2017-06-05 | CVE-2017-1000368 | Improper Input Validation vulnerability in Sudo Project Sudo Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution. | 7.2 |
| 2017-06-05 | CVE-2017-1000367 | Race Condition vulnerability in Sudo Project Sudo Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. | 6.4 |
| 2017-04-24 | CVE-2014-9680 | Information Exposure vulnerability in Sudo Project Sudo sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives. | 2.1 |
| 2015-11-17 | CVE-2015-5602 | Permissions, Privileges, and Access Controls vulnerability in Sudo Project Sudo sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt." | 7.2 |