CVE-2025-46717
Publication date 12 May 2025
Last updated 30 May 2025
Ubuntu priority
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rust-sudo-rs | 25.04 plucky |
Needs evaluation
|
| 24.10 oracular |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.3 · Low
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-46717
- https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6
- https://github.com/trifectatechfoundation/sudo-rs/commit/54984189d62a0763235d4a02a4b2d09d768a9986 (v0.2.6)
- https://github.com/trifectatechfoundation/sudo-rs/commit/848719f28067d3b5e6672d07f34da5b24f85765b (v0.2.6)