GHSA-W9Q3-G4P5-5Q2R

Vulnerability from github – Published: 2025-05-13 20:05 – Updated: 2025-05-13 20:05
VLAI?
Summary
sudo-rs Allows Low Privilege Users to Enumerate Privileges of Others
Details

Summary

Users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the -U flag. This doesn't happen with the original sudo.

PoC

The initial test has been done in a container running Ubuntu 24.04 and installing oxidizr, running sudo-rs 0.2.2.

A user (bob) has been added with only ps command executable through sudo:

root    ALL=(ALL:ALL) ALL
bob     ALL=(ALL:ALL) /usr/bin/ps

The user is not able to read the /etc/sudoers file and running sudo -l -Uroot with original sudo (version 1.9.15p5) causes the following error:

Sorry, user bob is not allowed to execute 'list' as root on 43d4aed3cdbd.

The same command with sudo-rs is run without denying the execution:

User root may run the following commands on 43d4aed3cdbd:
    (ALL : ALL) ALL

The same happens for other non-root users:

bob@43d4aed3cdbd:~$ sudo -l -Ufoo
User foo may run the following commands on 43d4aed3cdbd:
    (ALL : ALL) /usr/bin/whoami

The behavior has been also been observed for version 0.2.5.

Impact

Users with limited sudo privileges can enumerate the sudoers file, revealing sensitive information about other users' permissions. Attackers can collect information that can be used to more targeted attacks.

Systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory.

Credits

This issue was identified by Sonia Zorba.

Severity ?
3.3 (Low)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "sudo-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-497"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:05:55Z",
    "nvd_published_at": "2025-05-12T15:16:01Z",
    "severity": "LOW"
  },
  "details": "### Summary\nUsers with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This doesn\u0027t happen with the original sudo.\n\n### PoC\n\nThe initial test has been done in a container running Ubuntu 24.04 and installing [oxidizr](https://github.com/jnsgruk/oxidizr), running sudo-rs 0.2.2.\n\nA user (bob) has been added with only ps command executable through sudo:\n\n```\nroot    ALL=(ALL:ALL) ALL\nbob     ALL=(ALL:ALL) /usr/bin/ps\n```\n\nThe user is not able to read the `/etc/sudoers` file and running `sudo -l -Uroot` with original sudo (version 1.9.15p5) causes the following error:\n\n```\nSorry, user bob is not allowed to execute \u0027list\u0027 as root on 43d4aed3cdbd.\n```\n\nThe same command with sudo-rs is run without denying the execution:\n\n```\nUser root may run the following commands on 43d4aed3cdbd:\n    (ALL : ALL) ALL\n```\n\nThe same happens for other non-root users:\n\n```\nbob@43d4aed3cdbd:~$ sudo -l -Ufoo\nUser foo may run the following commands on 43d4aed3cdbd:\n    (ALL : ALL) /usr/bin/whoami\n```\n\nThe behavior has been also been observed for version 0.2.5.\n\n### Impact\nUsers with limited sudo privileges can enumerate the sudoers file, revealing sensitive information about other users\u0027 permissions. Attackers can collect information that can be used to more targeted attacks.\n\nSystems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory.\n\n### Credits\nThis issue was identified by [Sonia Zorba](https://www.zonia3000.net/).",
  "id": "GHSA-w9q3-g4p5-5q2r",
  "modified": "2025-05-13T20:05:55Z",
  "published": "2025-05-13T20:05:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-w9q3-g4p5-5q2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46718"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trifectatechfoundation/sudo-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sudo-rs Allows Low Privilege Users to Enumerate Privileges of Others"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.