Main Vulnerability Database Vulnerabilities #VU32823

#VU32823 Format string error in Sudo - CVE-2012-0809

Published: February 1, 2012 / Updated: July 29, 2020

Vulnerability identifier: #VU32823

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2012-0809

CWE-ID: CWE-134

Exploitation vector: Local access

Exploit availability: Public exploit is available

Vulnerable software:
Sudo

Software vendor:
Sudo

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.

Remediation

Install update from vendor's website.

External links

http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0591.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-01/att-0591/advisory_sudo.txt
http://security.gentoo.org/glsa/glsa-201203-06.xml
http://www.sudo.ws/sudo/alerts/sudo_debug.html