Vulnerability Details : CVE-2019-19232
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions
Products affected by CVE-2019-19232
- cpe:2.3:a:sudo:sudo:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19232
0.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19232
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2019-19232
-
https://www.oracle.com/security-alerts/bulletinapr2020.html
Oracle Solaris Third Party Bulletin - April 2020
-
https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html
BSI - CERT Bund -Meldungen - CB-K20/0001
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
[SECURITY] Fedora 32 Update: sudo-1.9.0-0.1.b1.fc32 - package-announce - Fedora Mailing-Lists
-
https://www.sudo.ws/stable.html
Sudo Stable ReleaseVendor Advisory
-
https://www.tenable.com/plugins/nessus/133936
EulerOS 2.0 SP5 : sudo (EulerOS-SA-2020-1135) | Tenable®
-
https://www.sudo.ws/devel.html#1.8.30b2
Sudo Development ReleasesVendor Advisory
-
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812
Bug Not Available
-
https://access.redhat.com/security/cve/cve-2019-19232
Red Hat Customer Portal
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
-
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870
Bug Not Available
-
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232
CVE-2019-19232
-
https://support.apple.com/kb/HT211100
About the security content of macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra - Apple Support
-
https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506
LIN1018-5506 - Security Advisory - sudo - CVE-2019-19232
-
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979
Cisco Bug: CSCvs58979 - Multiple Vulnerabilities in sudo
-
http://seclists.org/fulldisclosure/2020/Mar/31
Full Disclosure: APPLE-SA-2020-03-24-2 macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra
-
https://security.netapp.com/advisory/ntap-20200103-0004/
December 2019 Sudo Vulnerabilities in NetApp Products | NetApp Product Security
-
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103
Cisco Bug: CSCvs58103 - [ciam] Sudo Nonexistent User Impersonation Vulnerability
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
[SECURITY] Fedora 31 Update: sudo-1.9.0-0.1.b1.fc31 - package-announce - Fedora Mailing-Lists
-
https://support.apple.com/en-gb/HT211100
About the security content of macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra – Apple Support
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
[SECURITY] Fedora 31 Update: sudo-1.9.0-0.1.b1.fc31 - package-announce - Fedora Mailing-Lists
Jump to