CVE-2025-46717

Published: May 12, 2025Modified: Jul 9, 2025

3.3

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 1.8 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability.

Affected (1)

Products: Trifectatech: Sudo

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Trifectatech Sudo	Before 0.2.6

Related CWEs

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

References (3)

https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6

Source: security-advisories@github.com

Release Notes

https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.