CVE - CVE-2019-14287

CVE-ID
CVE-2019-14287	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20191015 [SECURITY] [DSA 4543-1] sudo security update URL:https://seclists.org/bugtraq/2019/Oct/21 BUGTRAQ:20191015 [slackware-security] sudo (SSA:2019-287-01) URL:https://seclists.org/bugtraq/2019/Oct/20 CONFIRM:https://security.netapp.com/advisory/ntap-20191017-0003/ CONFIRM:https://support.f5.com/csp/article/K53746212?utm_source=f5support&utm_medium=RSS CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03976en_us CONFIRM:https://www.sudo.ws/alerts/minus_1_uid.html DEBIAN:DSA-4543 URL:https://www.debian.org/security/2019/dsa-4543 FEDORA:FEDORA-2019-67998e9f7e URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUVAOZBYUHZS56A5FQSCDVGXT7PW7FL2/ FEDORA:FEDORA-2019-72755db9c7 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPLAM57TPJQGKQMNG6RHFBLACD6K356N/ FEDORA:FEDORA-2019-9cb221f2be URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IP7SIOAVLSKJGMTIULX52VQUPTVSC43U/ GENTOO:GLSA-202003-12 URL:https://security.gentoo.org/glsa/202003-12 MISC:http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html MISC:https://resources.whitesourcesoftware.com/blog-whitesource/new-vulnerability-in-sudo-cve-2019-14287 MLIST:[debian-lts-announce] 20191017 [SECURITY] [DLA 1964-1] sudo security update URL:https://lists.debian.org/debian-lts-announce/2019/10/msg00022.html MLIST:[oss-security] 20191014 Sudo: CVE-2019-14287 URL:http://www.openwall.com/lists/oss-security/2019/10/14/1 MLIST:[oss-security] 20191015 Re: Sudo: CVE-2019-14287 URL:https://www.openwall.com/lists/oss-security/2019/10/15/2 MLIST:[oss-security] 20191023 Membership application for linux-distros - VMware URL:http://www.openwall.com/lists/oss-security/2019/10/24/1 MLIST:[oss-security] 20191029 Re: Membership application for linux-distros - VMware URL:http://www.openwall.com/lists/oss-security/2019/10/29/3 MLIST:[oss-security] 20210914 Re: Oracle Solaris membership in the distros list URL:http://www.openwall.com/lists/oss-security/2021/09/14/2 REDHAT:RHBA-2019:3248 URL:https://access.redhat.com/errata/RHBA-2019:3248 REDHAT:RHSA-2019:3197 URL:https://access.redhat.com/errata/RHSA-2019:3197 REDHAT:RHSA-2019:3204 URL:https://access.redhat.com/errata/RHSA-2019:3204 REDHAT:RHSA-2019:3205 URL:https://access.redhat.com/errata/RHSA-2019:3205 REDHAT:RHSA-2019:3209 URL:https://access.redhat.com/errata/RHSA-2019:3209 REDHAT:RHSA-2019:3219 URL:https://access.redhat.com/errata/RHSA-2019:3219 REDHAT:RHSA-2019:3278 URL:https://access.redhat.com/errata/RHSA-2019:3278 REDHAT:RHSA-2019:3694 URL:https://access.redhat.com/errata/RHSA-2019:3694 REDHAT:RHSA-2019:3754 URL:https://access.redhat.com/errata/RHSA-2019:3754 REDHAT:RHSA-2019:3755 URL:https://access.redhat.com/errata/RHSA-2019:3755 REDHAT:RHSA-2019:3895 URL:https://access.redhat.com/errata/RHSA-2019:3895 REDHAT:RHSA-2019:3916 URL:https://access.redhat.com/errata/RHSA-2019:3916 REDHAT:RHSA-2019:3941 URL:https://access.redhat.com/errata/RHSA-2019:3941 REDHAT:RHSA-2019:4191 URL:https://access.redhat.com/errata/RHSA-2019:4191 REDHAT:RHSA-2020:0388 URL:https://access.redhat.com/errata/RHSA-2020:0388 SUSE:openSUSE-SU-2019:2316 URL:http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html SUSE:openSUSE-SU-2019:2333 URL:http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html UBUNTU:USN-4154-1 URL:https://usn.ubuntu.com/4154-1/
Assigning CNA
MITRE Corporation
Date Record Created
20190727	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190727)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)