CVE-2019-19232

NameCVE-2019-19232
Description** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs947225

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sudo (PTS)jessie1.8.10p3-1+deb8u5vulnerable
jessie (security)1.8.10p3-1+deb8u7vulnerable
stretch (security), stretch1.8.19p1-2.1+deb9u2vulnerable
buster1.8.27-1+deb10u2vulnerable
buster (security)1.8.27-1+deb10u1vulnerable
bullseye, sid1.8.31p1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sudosource(unstable)1.8.31-1unimportant947225

Notes

https://www.sudo.ws/devel.html#1.8.30b2
Sudo 1.8.30 introduces an option to enable/disable the behavior.

Search for package or bug name: Reporting problems