Vulnerability Details : CVE-2021-23239

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

Published 2021-01-12 09:15:14

Updated 2022-11-09 04:12:06

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-23239

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 18 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-23239

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
1.9	LOW	AV:L/AC:M/Au:N/C:P/I:N/A:N	3.4	2.9	[email protected]
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
2.5	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N	1.0	1.4	[email protected]
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2021-23239

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: [email protected] (Primary)

References for CVE-2021-23239

https://lists.debian.org/debian-lts-announce/2022/11/msg00007.html

Mailing List;Third Party Advisory
https://www.sudo.ws/stable.html#1.9.5

Release Notes;Vendor Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210129-0010/

Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202101-33

Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/[email protected]/message/EE42Y35SMJOLONAIBNYNFC7J44UUZ2Y6/

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/[email protected]/message/GMY4VSSBIND7VAYSN6T7XIWJRWG4GBB3/

Mailing List;Third Party Advisory

CVEs referencing this url
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-23239

Exploit;Issue Tracking;Third Party Advisory

Products affected by CVE-2021-23239

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Hci Management Node » Version: N/A
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
Matching versions
Netapp » Solidfire » Version: N/A
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
Matching versions
Sudo Project » Sudo
Versions from including (>=) 1.9.0 and before (<) 1.9.5
cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
Matching versions
Sudo Project » Sudo
Versions before (<) 1.8.32
cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
Matching versions