CVE-2010-1646
Summary
| CVE | CVE-2010-1646 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2010-06-07 17:12:00 UTC |
| Updated | 2018-10-10 19:57:00 UTC |
| Description | The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Todd Miller | Sudo | 1.3.1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.4p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.4p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.5p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.5p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p10 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p11 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p12 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p8 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p9 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p10 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p11 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p12 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p13 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p14 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p15 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p16 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p17 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p18 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p19 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p20 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p21 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p22 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p8 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p9 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.0 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.1 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p7 | All | All | All |
| Application | Todd Miller | Sudo | 1.3.1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.2p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.3p7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.4p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.4p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.5p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.5p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.7p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p10 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p11 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p12 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p8 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.8p9 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p10 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p11 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p12 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p13 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p14 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p15 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p16 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p17 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p18 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p19 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p20 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p21 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p22 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p7 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p8 | All | All | All |
| Application | Todd Miller | Sudo | 1.6.9p9 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.0 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.1 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p1 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p2 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p3 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p4 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p5 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p6 | All | All | All |
| Application | Todd Miller | Sudo | 1.7.2p7 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| Gentoo Linux Documentation -- sudo: Privilege Escalation | GENTOO | security.gentoo.org | |
| sudo: 3057fde43cf0 | CONFIRM | www.sudo.ws | Exploit, Patch |
| 598154 – (CVE-2010-1646) CVE-2010-1646 sudo: insufficient environment sanitization issue | CONFIRM | bugzilla.redhat.com | |
| Support / Security / Advisories / / MDVSA-2010:118 | Mandriva | MANDRIVA | www.mandriva.com | |
| Todd Miller Sudo 'secure path' Security Bypass Vulnerability | BID | www.securityfocus.com | |
| Support | REDHAT | www.redhat.com | |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | |
| [SECURITY] Fedora 11 Update: sudo-1.7.2p6-2.fc11 | FEDORA | lists.fedoraproject.org | |
| Fedora update for sudo - Secunia.com | SECUNIA | secunia.com | |
| wiki.rpath.com/Advisories:rPSA-2010-0075 | CONFIRM | wiki.rpath.com | |
| 65083 | OSVDB | www.osvdb.org | |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | |
| Red Hat update for sudo - Secunia.com | SECUNIA | secunia.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| sudo: a09c6812eaec | CONFIRM | www.sudo.ws | Exploit, Patch |
| Debian -- Security Information -- DSA-2062-1 sudo | DEBIAN | www.debian.org | |
| Sudo's secure path option can be cirumvented | CONFIRM | www.sudo.ws | Vendor Advisory |
| Sudo "secure path" Security Bypass Security Issue - Advisories - Community | SECUNIA | secunia.com | Vendor Advisory |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| [SECURITY] Fedora 12 Update: sudo-1.7.2p6-2.fc12 | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 13 Update: sudo-1.7.2p6-2.fc13 | FEDORA | lists.fedoraproject.org | |
| Gentoo update for sudo - Advisories - Community | SECUNIA | secunia.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| [security-announce] SUSE Security Summary Report: SUSE-SR:2011:002 | SUSE | lists.opensuse.org | |
| SecurityTracker.com Archives - Sudo Error in Processing Duplicate Environment Variables Lets Local Users Bypass Access Controls | SECTRACK | www.securitytracker.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| SecurityFocus | BUGTRAQ | www.securityfocus.com | |
| SUSE update for Multiple Packages - Secunia.com | SECUNIA | secunia.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.