CVE-2017-1000367
moderate-risk
Published 2017-06-05
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.
Do I need to act?
!
19.4% chance of exploitation in next 30 days
EPSS score — higher than 81% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.4/10
Medium
LOCAL
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (36)
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00077.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00078.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00079.html
Mailing List
http://seclists.org/fulldisclosure/2017/Jun/3
Third Party Advisory
http://www.debian.org/security/2017/dsa-3867
Third Party Advisory
http://www.securityfocus.com/bid/98745
Third Party Advisory
http://www.ubuntu.com/usn/USN-3304-1
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1381
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1382
Third Party Advisory
https://security.gentoo.org/glsa/201705-15
Third Party Advisory
https://www.exploit-db.com/exploits/42183/
Vendor Advisory
https://www.sudo.ws/alerts/linux_tty.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00077.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00078.html
and 16 more references
36
/ 100
moderate-risk
Severity
17/34 · Moderate
Exploitability
14/34 · Moderate
Exposure
5/34 · Minimal