CVE-2019-14287

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

  • OS
    Any OS
  • Version
    Any Version
  • Type
    Any Type

66 fixes found:

    Workaround

    Configuration change to mitigate CVE-2019-14287
    Published Date:Jun 14, 2019
    Updated Date:Jun 14, 2019

      Version Update

      sudo security update
      Published Date:Nov 14, 2019
      Updated Date:Nov 14, 2019
      Source:Centos6
      Affected Packages:

      sudo-1.8.6p3, sudo-devel-1.8.6p3

      Version Update

      sudo security update
      Published Date:Oct 31, 2019
      Updated Date:Oct 31, 2019
      Source:Centos7
      Affected Packages:

      sudo-1.8.23, sudo-devel-1.8.23

      Version Update

      [SECURITY] [DLA 1964-1] sudo security update
      Published Date:Oct 17, 2019
      Updated Date:Oct 17, 2019
      Source:Debian8
      Affected Packages:

      sudo-ldap-1.8.10p3, sudo-1.8.10p3

      Version Update

      [SECURITY] [DSA 4543-1] sudo security update
      Published Date:Oct 14, 2019
      Updated Date:Oct 14, 2019
      Source:Debian9
      Affected Packages:

      sudo-ldap-1.8.19p1, sudo-1.8.19p1

      Version Update

      [SECURITY] [DSA 4543-1] sudo security update
      Published Date:Oct 14, 2019
      Updated Date:Oct 14, 2019
      Source:Debian10
      Affected Packages:

      sudo-1.8.27, sudo-ldap-1.8.27

      Version Update

      Sudo vulnerability
      Published Date:Oct 14, 2019
      Updated Date:Oct 14, 2019
      Source:Ubuntu14.04
      Affected Packages:

      sudo-ldap-1.8.9p5, sudo-1.8.9p5

      Version Update

      Sudo vulnerability
      Published Date:Oct 14, 2019
      Updated Date:Oct 14, 2019
      Source:Ubuntu16.04
      Affected Packages:

      sudo-ldap-1.8.16, sudo-1.8.16