CVE-2019-19232

Publication date 19 December 2019

Last updated 4 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
sudo	20.04 LTS focal	Fixed 1.8.31-1ubuntu1
	19.10 eoan	Not affected
	19.04 disco	Ignored end of life
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

Notes

mdeslaur

upstream sudo has disputed this CVE, sudo works as intended and as documented, so marking this as not-affected.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
sudo	Upstream: https://www.sudo.ws/repos/sudo/rev/ebdbb5c7f60b

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N