This security bulletin contains one low risk vulnerability.
CWE-200 - Information Exposure
Exploit availability: NoDescription
The vulnerability allows a local authenticated user to gain access to sensitive information.
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.Mitigation
Install update from vendor's website.Vulnerable software versions
Sudo: 1.8.0 - 1.8.11p2
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?