CVE-2013-1776

Sažetak

sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.

Reference

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701839
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.opensuse.org/opensuse-updates/2013-03/msg00066.html
http://rhn.redhat.com/errata/RHSA-2013-1353.html
http://www.debian.org/security/2013/dsa-2642
http://www.openwall.com/lists/oss-security/2013/02/27/31
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/58207
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.517440
http://www.sudo.ws/repos/sudo/rev/632f8e028191
http://www.sudo.ws/repos/sudo/rev/6b22be4d09f0
http://www.sudo.ws/sudo/alerts/tty_tickets.html
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023
https://bugzilla.redhat.com/show_bug.cgi?id=916365
https://exchange.xforce.ibmcloud.com/vulnerabilities/82453
https://support.apple.com/kb/HT205031

CVSS

Base:	4.4
Impact:	6.4
Exploitability:	3.4

Pristup

Vektor	Složenost	Autentikacija
LOCAL	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:L/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

29-08-2017 - 01:33

Objavljeno

08-04-2013 - 17:55