CVE-2005-2959
sudo - missing input sanitising
EPSS 0.13%
Description
Incomplete blacklist vulnerability in sudo 1.6.8 and earlier allows local users to gain privileges via the (1) SHELLOPTS and (2) PS4 environment variables before executing a bash script on behalf of another user, which are not cleared even though other variables are.
How to fix CVE-2005-2959
To remediate CVE-2005-2959, upgrade the affected package to a fixed version below.
- Debian/sudo—upgrade to 1.6.8p9-3 or later
- Debian/sudo—upgrade to 1.6.6-1.4 or later
Is CVE-2005-2959 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.6.8p9-3
- from 0, < 1.6.6-1.4