Search for vulnerabilities
Vulnerability details: VCID-vcb8-ab38-aaas
Vulnerability ID VCID-vcb8-ab38-aaas
Aliases CVE-2019-19232
Summary ** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.
Status Disputed
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-284 Improper Access Control
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html
rhas Moderate https://access.redhat.com/errata/RHSA-2020:1804
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19232.json
epss 0.00758 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00758 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00758 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00758 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00758 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00758 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00764 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00764 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.00764 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.01458 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.01458 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.01458 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.01458 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.01458 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.01458 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.02918 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.04468 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
epss 0.06893 https://api.first.org/data/v1/epss?cve=CVE-2019-19232
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1786704
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232
cvssv3.1 6.7 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2019-19232
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2019-19232
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2019-19232
generic_textual Low https://www.sudo.ws/devel.html#1.8.30b2
generic_textual Low https://www.sudo.ws/stable.html
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19232.json
https://access.redhat.com/security/cve/cve-2019-19232
https://api.first.org/data/v1/epss?cve=CVE-2019-19232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232
http://seclists.org/fulldisclosure/2020/Mar/31
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870
https://security.netapp.com/advisory/ntap-20200103-0004/
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232
https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506
https://support.apple.com/en-gb/HT211100
https://support.apple.com/kb/HT211100
https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html
https://www.oracle.com/security-alerts/bulletinapr2020.html
https://www.sudo.ws/devel.html#1.8.30b2
https://www.sudo.ws/stable.html
https://www.tenable.com/plugins/nessus/133936
1786704 https://bugzilla.redhat.com/show_bug.cgi?id=1786704
947225 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225
cpe:2.3:a:sudo:sudo:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sudo:sudo:*:*:*:*:*:*:*:*
CVE-2019-19232 https://nvd.nist.gov/vuln/detail/CVE-2019-19232
RHSA-2020:1804 https://access.redhat.com/errata/RHSA-2020:1804
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19232.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-19232
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-19232
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-19232
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.81516
EPSS Score 0.00758
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-09-22T01:18:20.640085+00:00 NVD CVE Status Improver Improve https://cveawg.mitre.org/api/cve/CVE-2019-19232 34.0.1