CVE-2019-19234

Description

In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. Indeed it is a valid use case to have local accounts that are _only_ accessible via sudo and that cannot be logged into with a password. Sudo 1.8.30 added an optional setting to check the _shell_ of the target user (not the encrypted password!) against the contents of /etc/shells but that is not the same thing as preventing access to users with an invalid password hash

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 2.92% Top 15%
Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory sudo.ws Vendor Advisory sudo.ws
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://www.sudo.ws/stable.html vendor advisory
https://www.sudo.ws/devel.html#1.8.30b2 vendor advisory
https://security.netapp.com/advisory/ntap-20200103-0004/
https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5505
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58104
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58473
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58772
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs60748
https://www.tenable.com/plugins/nessus/132985
https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1019-3816
https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19234
https://www.suse.com/security/cve/CVE-2019-19234/
https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html
https://access.redhat.com/security/cve/cve-2019-19234
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/ vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/ vendor advisory
https://www.oracle.com/security-alerts/bulletinapr2020.html

Frequently Asked Questions

What is the severity of CVE-2019-19234?
CVE-2019-19234 has been scored as a high severity vulnerability.
How to fix CVE-2019-19234?
To fix CVE-2019-19234, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2019-19234 being actively exploited in the wild?
It is possible that CVE-2019-19234 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.