Vulnerability Details : CVE-2010-1646
The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.
Exploit prediction scoring system (EPSS) score for CVE-2010-1646
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-1646
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.2
|
MEDIUM | AV:L/AC:H/Au:N/C:C/I:C/A:C |
1.9
|
10.0
|
NIST |
CWE ids for CVE-2010-1646
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-1646
-
http://www.securitytracker.com/id?1024101
Sudo Error in Processing Duplicate Environment Variables Lets Local Users Bypass Access Controls - SecurityTracker
-
http://www.securityfocus.com/bid/40538
Todd Miller Sudo 'secure path' Security Bypass Vulnerability
-
https://bugzilla.redhat.com/show_bug.cgi?id=598154
598154 – (CVE-2010-1646) CVE-2010-1646 sudo: insufficient environment sanitization issue
-
http://www.sudo.ws/repos/sudo/rev/a09c6812eaec
sudo: a09c6812eaecExploit;Patch
-
http://www.vupen.com/english/advisories/2010/1518
Webmail | OVH- OVH
-
http://www.redhat.com/support/errata/RHSA-2010-0475.html
Support
-
http://www.vupen.com/english/advisories/2011/0212
Webmail | OVH- OVH
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7338
Repository / Oval Repository
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:118
mandriva.com
-
http://www.vupen.com/english/advisories/2010/1452
Webmail | OVH- OVH
-
http://www.debian.org/security/2010/dsa-2062
Debian -- Security Information -- DSA-2062-1 sudo
-
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2011:002
-
http://www.securityfocus.com/archive/1/514489/100/0/threaded
SecurityFocus
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043012.html
[SECURITY] Fedora 11 Update: sudo-1.7.2p6-2.fc11
-
http://www.vupen.com/english/advisories/2010/1519
Webmail | OVH- OVH
-
http://security.gentoo.org/glsa/glsa-201009-03.xml
sudo: Privilege Escalation (GLSA 201009-03) — Gentoo security
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10580
Repository / Oval Repository
-
http://www.sudo.ws/sudo/alerts/secure_path.html
Sudo's secure path option can be circumventedVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043026.html
[SECURITY] Fedora 12 Update: sudo-1.7.2p6-2.fc12
-
http://www.sudo.ws/repos/sudo/rev/3057fde43cf0
sudo: 3057fde43cf0Exploit;Patch
-
http://www.vupen.com/english/advisories/2010/1478
Webmail | OVH- OVH
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042838.html
[SECURITY] Fedora 13 Update: sudo-1.7.2p6-2.fc13
- http://wiki.rpath.com/Advisories:rPSA-2010-0075
Products affected by CVE-2010-1646
- cpe:2.3:a:todd_miller:sudo:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p7:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3p4:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3p5:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.4p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3p6:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3p7:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.5p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.5p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.3p3:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.4p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2p3:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2p4:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2p5:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2p6:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.2p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.2p3:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.7p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p3:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p4:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p11:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p12:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p6:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p7:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p15:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p16:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.7p4:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.7p5:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p8:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p3:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p10:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p11:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p19:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p20:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.2p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p9:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p10:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p4:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p5:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p12:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p13:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p14:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p21:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.7.2p7:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p22:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.7p2:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.7p3:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p5:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.8p6:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p1:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p8:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p9:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p17:*:*:*:*:*:*:*
- cpe:2.3:a:todd_miller:sudo:1.6.9p18:*:*:*:*:*:*:*