Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28487: Escape control characters in log messages and "sudoreplay -l" output. · sudo-project/sudo@334daf9

Sudo before 1.9.13 does not escape control characters in sudoreplay output.

CVE

Permalink

Browse files

Escape control characters in log messages and “sudoreplay -l” output.

The log message contains user-controlled strings that could include things like terminal control characters. Space characters in the command path are now also escaped.

Command line arguments that contain spaces are surrounded with single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces.

Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com).

  • Loading branch information

Related news

Red Hat Security Advisory 2024-0811-03

Red Hat Security Advisory 2024-0811-03 - A security update for sudo is now available for Red Hat Enterprise Linux 8 and 9.

Gentoo Linux Security Advisory 202309-12

Gentoo Linux Security Advisory 202309-12 - Multiple vulnerabilities have been found in sudo, the worst of which can result in root privilege escalation. Versions greater than or equal to 1.9.13_p2 are affected.

CVE-2023-32463: DSA-2023-200: Security Update for Dell VxRail for Multiple Third-Party Component Vulnerabilities

Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.

Ubuntu Security Notice USN-6005-2

Ubuntu Security Notice 6005-2 - USN-6005-1 fixed vulnerabilities in Sudo. This update provides the corresponding updates for Ubuntu 16.04 LTS. Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly escaped control characters in log messages and sudoreplay output. An attacker could possibly use these issues to inject terminal control characters that alter output when being viewed.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907