CVE-2019-14287
HIGH8.8EPSS 85.8%sudo - security update
Published: 10/17/2019Modified: 4/28/2026
Description
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
Affected packages (4)
- Alpine/sudofrom 0, < 1.8.27-r1
- Debian/sudofrom 0, < 1.8.27-1.1
- Debian/sudofrom 0, < 1.8.10p3-1+deb8u6
- Debian/sudofrom 0, < 1.8.19p1-2.1+deb9u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |