Use of Externally-Controlled Format String Affecting sudo package, versions <1.8.3p1-1ubuntu3
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.06% (28th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU1204-SUDO-2976155
- published 6 Aug 2022
- disclosed 1 Feb 2012
Introduced: 1 Feb 2012
CVE-2012-0809 Open this link in a new tabHow to fix?
Upgrade Ubuntu:12.04 sudo to version 1.8.3p1-1ubuntu3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream sudo package and not the sudo package as distributed by Ubuntu.
See How to fix? for Ubuntu:12.04 relevant fixed versions and status.
Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-0809
- http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0591.html
- http://www.sudo.ws/sudo/alerts/sudo_debug.html
- http://archives.neohapsis.com/archives/fulldisclosure/2012-01/att-0591/advisory_sudo.txt
- http://security.gentoo.org/glsa/glsa-201203-06.xml
- https://www.exploit-db.com/exploits/25134
CVSS Scores
version 3.1