National Cyber Awareness System

Vulnerability Summary for CVE-2010-2956

Overview

Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root" sequence.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=628628

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=628628

External Source: VUPEN

Name: ADV-2011-0025

Hyperlink:http://www.vupen.com/english/advisories/2011/0025

External Source: VUPEN

Name: ADV-2010-2358

Hyperlink:http://www.vupen.com/english/advisories/2010/2358

External Source: VUPEN

Name: ADV-2010-2320

Hyperlink:http://www.vupen.com/english/advisories/2010/2320

External Source: VUPEN

Name: ADV-2010-2318

Hyperlink:http://www.vupen.com/english/advisories/2010/2318

External Source: VUPEN

Name: ADV-2010-2312

Hyperlink:http://www.vupen.com/english/advisories/2010/2312

External Source: CONFIRM

Name: http://www.vmware.com/security/advisories/VMSA-2011-0001.html

Hyperlink:http://www.vmware.com/security/advisories/VMSA-2011-0001.html

External Source: UBUNTU

Name: USN-983-1

Hyperlink:http://www.ubuntu.com/usn/USN-983-1

External Source: CONFIRM

Name: http://www.sudo.ws/sudo/alerts/runas_group.html

Type: Advisory

Hyperlink:http://www.sudo.ws/sudo/alerts/runas_group.html

External Source: SECTRACK

Name: 1024392

Hyperlink:http://www.securitytracker.com/id?1024392

External Source: BID

Name: 43019

Hyperlink:http://www.securityfocus.com/bid/43019

External Source: BUGTRAQ

Name: 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/515545/100/0/threaded

External Source: BUGTRAQ

Name: 20101027 rPSA-2010-0075-1 sudo

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/514489/100/0/threaded

External Source: REDHAT

Name: RHSA-2010:0675

Hyperlink:http://www.redhat.com/support/errata/RHSA-2010-0675.html

External Source: MANDRIVA

Name: MDVSA-2010:175

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2010:175

External Source: CONFIRM

Name: http://wiki.rpath.com/Advisories:rPSA-2010-0075

Hyperlink:http://wiki.rpath.com/Advisories:rPSA-2010-0075

External Source: GENTOO

Name: GLSA-201009-03

Hyperlink:http://security.gentoo.org/glsa/glsa-201009-03.xml

External Source: SECUNIA

Name: 42787

Hyperlink:http://secunia.com/advisories/42787

External Source: SECUNIA

Name: 41316

Type: Advisory

Hyperlink:http://secunia.com/advisories/41316

External Source: SECUNIA

Name: 40508

Type: Advisory

Hyperlink:http://secunia.com/advisories/40508

External Source: SUSE

Name: SUSE-SR:2010:017

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html

External Source: FEDORA

Name: FEDORA-2010-14355

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047516.html