GHSA-98cv-wqjx-wx8f
sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders
Details
### Summary
Users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`.
### PoC
As root: ``` # mkdir /tmp/foo # chmod a-rwx /tmp/foo # touch /tmp/foo/secret_file ``` As a user without any (or limited) sudo rights: ``` $ sudo --list /tmp/foo/nonexistent_file sudo-rs: '/tmp/foo/nonexistent_file': command not found $ $ sudo --list /tmp/foo/secret_file sudo-rs: Sorry, user eve may not run sudo on host. ``` I.e. the user can distinguish whether files exist.
### Related Original sudo (vulnerable version tested by us: 1.9.15p5) exhibited similar behaviour for files with the executable bit set.
### Impact Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks.
### Credits This issue was identified by sudo-rs developer Marc Schoolderman
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.2.6 Upgrade sudo-rs to 0.2.6 or newer (ecosystem crates.io).