An attacker can leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. Sudo versions affected: Sudo versions 1.9.14 to 1.9.17 inclusive are affected. CVE ID: This vulnerability has been assigned CVE-2025-32463 in the Common Vulnerabilities and Exposures database.| Sudo
Sudo’s host (-h or --host) option is intended to be used in conjunction with the list option (-l or --list) to list a user’s sudo privileges on a host other than the current one. However, due to a bug it was not restricted to listing privileges and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file this could allow a local privilege escalation attack.| Sudo
A flaw exists in sudo’s per-command chroot feature that could result in the variable that stores the command being freed more than once. Sudo versions affected: Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected. Versions of sudo prior to 1.9.8 are not affected. CVE ID: This vulnerability has been assigned CVE-2023-27320 in the Common Vulnerabilities and Exposures database.| Sudo
If the env_reset option is disabled in the sudoers file, a malicious user with sudo permissions may be able to run arbitrary commands with elevated privileges by manipulating the environment of a command the user is legitimately allowed to run. Sudo versions affected: Sudo 1.6.9 through 1.8.4p5 inclusive. Sudo 1.8.5 and higher are not affected.| Sudo
When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user’s time stamp file can be reset using sudo -k or removed altogether via sudo -K. A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themsel...| Sudo
When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). This time stamp file can either be common to all of a user’s terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the tty_tickets option in the sudoers file. This option has b...| Sudo
A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers.| Sudo
A flaw exists in the debugging code in sudo versions 1.8.0 through 1.8.3p1 that can be used to crash sudo or potentially allow an unauthorized user to elevate privileges. Sudo versions affected: 1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected. CVE ID: This vulnerability has been assigned CVE-2012-0809 in the Common Vulnerabilities and Exposures database.| Sudo
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo’s -g option (run as group), if allowed by the sudoers file. A flaw exists in sudo’s password checking logic that allows a user to run a command with only the group changed without being prompted for a password. Sudo versions affected: Sudo 1.7.0 through 1.7.4p4.| Sudo
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.| Sudo
Sudo “secure path” feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the –with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the “secure path” restrictions.| Sudo
A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426. Sudo versions affected: 1.6.8 through 1.7.2p5 inclusive. CVE ID: This vulnerability has been assigned CVE-2010-1163 in the Common Vulnerabilities and Exposures database.| Sudo
A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.9 through 1.7.2p3 that may give a user with permission to run sudoedit the ability to run arbitrary commands. Sudo versions affected: 1.6.9 through 1.7.2p3 inclusive. CVE ID: This vulnerability has been assigned CVE-2010-0426 in the Common Vulnerabilities and Exposures database.| Sudo
A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias. Sudo versions affected: 1.7.0 through 1.7.2p1 inclusive. Details: Sudo uses the Cmnd_Alias syntax for named groups of commands the sudoers file. The Cmnd_Alias is expanded when command matching is performed as sudo checks whether a user is allowed to run a particular command. There is a flaw in the code that matches lists of commands where the negation operator was ap...| Sudo
A bug was introduced in Sudo’s group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies. Sudo versions affected: Sudo versions 1.6.9 up to and including 1.6.9p19. Sudo version 1.7.0 is not affected.| Sudo
Sudo can optionally be built with support for Kerberos 5 authentication. A flaw in exists in sudo’s Kerberos 5 authentication that, depending on the local machine’s Kerberos 5 configuration, could allow a malicious user to avoid authenticating with sudo. The user would still be limited by the sudoers file as to what commands could be run (and as what user). Sudo versions affected: All versions prior to 1.6.9.| Sudo
A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p12 that could allow a malicious user with permission to run a perl script to execute arbitrary perl code. Sudo versions affected: All versions prior to 1.6.8p12. CVE ID: This vulnerability has been assigned CVE-2004-1051 in the Common Vulnerabilities and Exposures database.| Sudo
A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p10 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux and Mac OS X systems is bash. Sudo versions affected: All versions prior to 1.6.8p10.| Sudo
A race condition in Sudo’s command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands. Sudo versions affected: Sudo versions 1.3.1 up to and including 1.6.8p8. CVE ID: This vulnerability has been assigned CVE-2005-1993 in the Common Vulnerabilities and Exposures database.| Sudo
A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux systems is bash. Sudo versions affected: All versions prior to 1.6.8p2.| Sudo
A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files. Sudo versions affected: Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected. CVE ID: This vulnerability has been assigned CVE-2023-22809 in the Common Vulnerabilities and Exposures database.| Sudo
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Sudo versions affected: Sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1 are affected.| Sudo
On systems where SELinux is enabled, sudo’s RBAC support allows a command to be run with a user-specified role and/or type. In order to transition to the target SELinux security context, sudo runs the command through the sesh helper program. When sudo is invoked as sudoedit, sesh is used to first create the editor temporary files with the proper security context and then, once the editor has run, to copy the edited temporary files to their original locations.| Sudo
Sudo’s pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.| Sudo
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.| Sudo
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include white space (including newline), which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains white space followed by a number.| Sudo
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses either the system() or popen() functions. Sudo versions affected: 1.6.8 through 1.8.14p3 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7032 in the Common Vulnerabilities and Exposures database.| Sudo
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function. Sudo versions affected: 1.6.8 through 1.8.18 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7076 in the Common Vulnerabilities and Exposures database.| Sudo
Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library’s TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block.| Sudo