9.3
CVE-2025-32463
- EPSS 23.61%
- Veröffentlicht 30.06.2025 00:00:00
- Zuletzt bearbeitet 30.09.2025 13:30:30
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sudo Project ≫ Sudo Version >= 1.9.14 < 1.9.17
Sudo Project ≫ Sudo Version1.9.17 Update-
Canonical ≫ Ubuntu Linux Version22.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version24.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version24.10 SwEdition-
Canonical ≫ Ubuntu Linux Version25.04 SwEdition-
Debian ≫ Debian Linux Version11.0
Debian ≫ Debian Linux Version12.0
Debian ≫ Debian Linux Version13.0
Redhat ≫ Enterprise Linux Version10.0
Suse ≫ Linux Enterprise Desktop Version15 Updatesp6
Suse ≫ Linux Enterprise Desktop Version15 Updatesp7
Suse ≫ Linux Enterprise Real Time Version15.0 Updatesp2
Suse ≫ Linux Enterprise Real Time Version15.0 Updatesp6
Suse ≫ Linux Enterprise Real Time Version15.0 Updatesp7
Suse ≫ Linux Enterprise Server For Sap Version12 Updatesp6
Suse ≫ Linux Enterprise Server For Sap Version12 Updatesp7
29.09.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog
Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
SchwachstelleSudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.
BeschreibungApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 23.61% | 0.958 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| cve@mitre.org | 9.3 | 2.5 | 6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.