Amazon Linux 2023: CVE-2023-28486: Important priority package update for sudo

Amazon Linux 2023: CVE-2023-28486: Important priority package update for sudo

Severity

5

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

03/16/2023

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

Sudo before 1.9.13 does not escape control characters in log messages. A flaw was found in the sudo package, shipped with Red Hat Enterprise Linux 8 and 9, where sudo improperly escapes terminal control characters during logging operations. As sudo's log messages may contain user-controlled strings, this may allow an attacker to inject terminal control commands, leading to a leak of restricted information.

Solution(s)

• amazon-linux-2023-upgrade-sudo
• amazon-linux-2023-upgrade-sudo-debuginfo
• amazon-linux-2023-upgrade-sudo-debugsource
• amazon-linux-2023-upgrade-sudo-devel
• amazon-linux-2023-upgrade-sudo-logsrvd
• amazon-linux-2023-upgrade-sudo-logsrvd-debuginfo
• amazon-linux-2023-upgrade-sudo-python-plugin
• amazon-linux-2023-upgrade-sudo-python-plugin-debuginfo

References

• https://attackerkb.com/topics/cve-2023-28486
• CVE - 2023-28486
• https://alas.aws.amazon.com/AL2023/ALAS-2023-135.html