Fluid Attacks Database

Description

sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	sudo	>=0 <1.8.5p2-1+nmu1	1.8.5p2-1+nmu1
debian 13	sudo	>=0 <1.8.5p2-1+nmu1	1.8.5p2-1+nmu1
debian 12	sudo	>=0 <1.8.5p2-1+nmu1	1.8.5p2-1+nmu1
rpm rhel6	sudo	<0:1.8.6p3-7.el6	0:1.8.6p3-7.el6
debian 11	sudo	>=0 <1.8.5p2-1+nmu1	1.8.5p2-1+nmu1
rpm rhel5	sudo	<0:1.7.2p1-28.el5	0:1.7.2p1-28.el5

Aliases

1. CVE-2013-17762. NVD-2013-17763. OSV-DEBIAN-2013-17764. OSV-2013-17765. SECURITY-TRACKER-CVE-2013-1776

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.