Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A privilege escalation vulnerability may enable a service account to elevate its privileges.
The sudo rules configured for a local service account were excessively permissive, potentially allowing administrative access if a malicious actor could execute arbitrary commands as that account.
It is important to note that no such vector has been identified in this instance.
AnalysisAI
Privilege escalation vulnerability affecting service accounts through excessively permissive sudo rules that could allow elevation to administrative privileges. The vulnerability requires local access and lower privileges to exploit (CVSS 7.0), but notably, no actual exploitation vector has been identified in the wild. While the CVSS score indicates high impact potential, the absence of a confirmed attack vector and lack of active exploitation signals suggest this is a configuration hardening issue rather than an immediately critical threat.
Technical ContextAI
This vulnerability stems from CWE-250 (Execution with Unnecessary Privileges), a root cause class where applications or system configurations grant excessive permissions beyond what is functionally required. The specific manifestation involves sudo rule misconfigurations that allow a service account (a non-interactive account typically used for application or daemon execution) to execute commands with administrative (root) privileges. Sudo rules define which users can execute which commands as other users without passwords; when these rules are overly broad, they create a privilege escalation pathway. The attack surface is local-only, requiring an attacker to either compromise the service account or be able to execute code within that account's context. This typically affects Unix/Linux systems where sudo is the standard privilege escalation mechanism.
RemediationAI
- Audit all sudo rules for service accounts by executing 'sudo -l' as each service account and reviewing sudoers file entries (/etc/sudoers and /etc/sudoers.d/). 2. Apply principle of least privilege: restrict sudo rules to only the specific commands required for each service account's function, using absolute paths and avoiding wildcards or ALL commands. 3. Use sudo command aliases and parameter restrictions to limit what can be executed. 4. Implement sudo logging and auditing (Defaults log_output, Defaults use_pty) to detect abuse. 5. Consider using alternative mechanisms like capabilities (setcap) or AppArmor/SELinux profiles instead of broad sudo rules where applicable. 6. If vendor-specific guidance is available (check with your service account/application vendor), follow their hardening recommendations. No patch version information is available, as this appears to be a configuration issue rather than a software bug requiring code patches.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2024-54661