logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-46718 sudo-rs

Package

Manager: cargo
Name: sudo-rs
Vulnerable Version: >=0 <0.2.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0002 pctl0.0358

Details

sudo-rs Allows Low Privilege Users to Enumerate Privileges of Others ### Summary Users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This doesn't happen with the original sudo. ### PoC The initial test has been done in a container running Ubuntu 24.04 and installing [oxidizr](https://github.com/jnsgruk/oxidizr), running sudo-rs 0.2.2. A user (bob) has been added with only ps command executable through sudo: ``` root ALL=(ALL:ALL) ALL bob ALL=(ALL:ALL) /usr/bin/ps ``` The user is not able to read the `/etc/sudoers` file and running `sudo -l -Uroot` with original sudo (version 1.9.15p5) causes the following error: ``` Sorry, user bob is not allowed to execute 'list' as root on 43d4aed3cdbd. ``` The same command with sudo-rs is run without denying the execution: ``` User root may run the following commands on 43d4aed3cdbd: (ALL : ALL) ALL ``` The same happens for other non-root users: ``` bob@43d4aed3cdbd:~$ sudo -l -Ufoo User foo may run the following commands on 43d4aed3cdbd: (ALL : ALL) /usr/bin/whoami ``` The behavior has been also been observed for version 0.2.5. ### Impact Users with limited sudo privileges can enumerate the sudoers file, revealing sensitive information about other users' permissions. Attackers can collect information that can be used to more targeted attacks. Systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory. ### Credits This issue was identified by [Sonia Zorba](https://www.zonia3000.net/).

Metadata

Created: 2025-05-13T20:05:55Z
Modified: 2025-05-13T20:05:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-w9q3-g4p5-5q2r/GHSA-w9q3-g4p5-5q2r.json
CWE IDs: ["CWE-497"]
Alternative ID: GHSA-w9q3-g4p5-5q2r
Finding: F017
Auto approve: 1