#VU32823 Format string error


Published: 2020-07-29

Vulnerability identifier: #VU32823

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2012-0809

CWE-ID: CWE-134

Exploitation vector: Local

Exploit availability: Yes

Vulnerable software:
Sudo
Client/Desktop applications / Software for system administration

Vendor: Sudo

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Sudo: 1.8.0 - 1.8.3p1


CPE

External links
http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0591.html
http://archives.neohapsis.com/archives/fulldisclosure/2012-01/att-0591/advisory_sudo.txt
http://security.gentoo.org/glsa/glsa-201203-06.xml
http://www.sudo.ws/sudo/alerts/sudo_debug.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability