Alpine: multiple sudo packages: security update to 1.7.2-r0 (deprecated)

high Tenable Cloud Security Plugin ID 401270

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match
between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which
allows local users to gain privileges via a crafted executable file, as demonstrated by a file named
sudoedit in a user's home directory. (CVE-2010-0426)

- sudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group
memberships, which allows local users to gain privileges via a sudo command. (CVE-2010-0427)

See Also

https://git.alpinelinux.org/aports/commit/?id=7b767145b591d4d81ce05f3af078278460258dd5

https://git.alpinelinux.org/aports/commit/?id=b4a434179f814cf7e7768145bff2e945d7c93548

Plugin Details

Severity: High

ID: 401270

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.36

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2010-0426

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/8/2010

Vulnerability Publication Date: 1/28/2010

Exploitable With

Core Impact

Reference Information

CVE: CVE-2010-0426, CVE-2010-0427

BID: 38362, 38432