Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7
CVSSv3

CVE-2015-8239

Published: 10/10/2017 Updated: 05/11/2017
CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4
CVSS v3 Base Score: 7 | Impact Score: 5.9 | Exploitability Score: 1
VMScore: 614
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Sudo Project

Vulnerability Summary

The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.

Vulnerable Product Search on Vulmon Subscribe to Product

sudo project sudo 1.8.15

sudo project sudo 1.8.14

sudo project sudo 1.8.13

sudo project sudo 1.8.12

sudo project sudo 1.8.10

sudo project sudo 1.8.9

sudo project sudo 1.8.11

sudo project sudo 1.8.8

Vendor Advisories

Debian CVElist Bug Report Logs: sudo: CVE-2015-8239: Race condition when checking digests in sudoers
Debian Bug report logs - #805563 sudo: CVE-2015-8239: Race condition when checking digests in sudoers Package: src:sudo; Maintainer for src:sudo is Bdale Garbee <bdale@gagcom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 19 Nov 2015 14:51:06 UTC Severity: important Tags: fixed-upstream, security ...
Red Hat: CVE-2015-8239
The SHA-2 digest support in the sudoers plugin in sudo after 187 allows local users with write permissions to parts of the called command to replace them before it is executed ...

Github Repositories

https://github.com/justinsteven/sudo_digest_toctou_poc_CVE-2015-8239

sudoers Digest_Spec TOCTOU POC Rationale Alyssa Milburn (twittercom/noopwafel) discovered a TOCTOU race condition bug in sudo when the Digest_Spec setting is used The Digest_Spec setting can be used to allow a user to sudo a binary if and only if its hash matches a prescribed value See man sudoers and search for Digest_Spec for more information on this feature, and s

References

CWE-362https://www.sudo.ws/repos/sudo/rev/397722cdd7echttps://www.sudo.ws/repos/sudo/rev/24a3d9215c64https://www.sudo.ws/repos/sudo/rev/0cd3cc8fa195https://bugzilla.redhat.com/show_bug.cgi?id=1283635http://www.openwall.com/lists/oss-security/2015/11/18/22https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805563https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2015-8239
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38002CVE-2006-4304CVE-2024-4336CVE-2024-33437CVE-2024-4340CVE-2024-27956privilegeinsecure direct object referenceXSSitem search icon">CVE-2024-25938
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook