Cyber Resilience

CVE-2023-22809

HighPublic PoCLPE

Published: 18 January 2023

Published
18 January 2023
Modified
04 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4437 97.6th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22809 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Sudo Project Sudo. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

In Sudo versions 1.8.0 through 1.9.12p1, the sudoedit feature fails to properly sanitize additional arguments supplied via the SUDO_EDITOR, VISUAL, or EDITOR environment variables. A user-specified editor value containing a "--" separator can bypass an existing protection and cause arbitrary file paths to be appended to the list of files sudoedit will process, resulting in unintended file operations under elevated privileges.

A local attacker who is already permitted to run sudoedit can set one of the affected environment variables to include a crafted editor command. This grants the ability to modify or create arbitrary files as root, enabling straightforward privilege escalation on the affected system.

Public exploit code and technical analyses have been published through channels such as Packet Storm and OpenWall, confirming working proof-of-concept attacks against vulnerable installations. The associated EPSS score rose from lower values after disclosure to a peak of 0.5510 before receding to the current 0.4437, indicating measurable post-disclosure exploitation interest. Upgrading to Sudo 1.9.12p2 or later eliminates the flaw.

EU & UK References

Vulnerability details

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead…

more

to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sudo project
sudo
1.9.12 · 1.8.0 — 1.9.12
debian
debian linux
10.0, 11.0
fedoraproject
fedora
36, 37
apple
macos
≤ 13.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

addresses: CWE-269

Enforces proper privilege management by requiring all decisions through the verified reference monitor.

addresses: CWE-269

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

addresses: CWE-269

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

References