{"id":"CVE-2023-28487","details":"Sudo before 1.9.13 does not escape control characters in sudoreplay output.","modified":"2026-04-02T08:50:02.899481Z","published":"2023-03-16T01:15:47.067Z","related":["ALSA-2024:0811","MGASA-2023-0133","SUSE-SU-2023:1659-1","SUSE-SU-2023:1665-1","SUSE-SU-2023:1698-1","SUSE-SU-2023:1699-1","SUSE-SU-2023:1700-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/02/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202309-12"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230420-0002/"},{"type":"FIX","url":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/millert/sudo","events":[{"introduced":"0"},{"fixed":"effed9ecbb54acedcbf32d53d9ebd571498867b4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.9.13"}]}},{"type":"GIT","repo":"https://github.com/sudo-project/sudo","events":[{"introduced":"0"},{"fixed":"334daf92b31b79ce68ed75e2ee14fca265f029ca"},{"fixed":"effed9ecbb54acedcbf32d53d9ebd571498867b4"}]}],"versions":["SUDO_1_3_0","SUDO_1_3_1","SUDO_1_4_0","SUDO_1_5_0","SUDO_1_5_1","SUDO_1_5_2","SUDO_1_5_3","SUDO_1_5_4","SUDO_1_5_6","SUDO_1_5_7","SUDO_1_5_8","SUDO_1_5_9","SUDO_1_6_0","SUDO_1_6_1","SUDO_1_6_2","SUDO_1_6_3","SUDO_1_6_4","SUDO_1_6_5","SUDO_1_6_6","SUDO_1_6_7","SUDO_1_6_8","SUDO_1_6_8p1","SUDO_1_7_0","SUDO_1_7_1","SUDO_1_7_10","SUDO_1_7_10p1","SUDO_1_7_10p2","SUDO_1_7_10p3","SUDO_1_7_10p4","SUDO_1_7_10p5","SUDO_1_7_10p6","SUDO_1_7_10p7","SUDO_1_7_10p8","SUDO_1_7_10p9","SUDO_1_7_2","SUDO_1_7_3","SUDO_1_7_4","SUDO_1_7_5","SUDO_1_7_6","SUDO_1_7_7","SUDO_1_7_8","SUDO_1_7_9","SUDO_1_7_9p1","SUDO_1_8_0","SUDO_1_8_1","SUDO_1_8_10","SUDO_1_8_10p1","SUDO_1_8_10p2","SUDO_1_8_10p3","SUDO_1_8_11","SUDO_1_8_11p1","SUDO_1_8_11p2","SUDO_1_8_12","SUDO_1_8_13","SUDO_1_8_14","SUDO_1_8_14p1","SUDO_1_8_14p3","SUDO_1_8_15","SUDO_1_8_16","SUDO_1_8_17","SUDO_1_8_17p1","SUDO_1_8_18","SUDO_1_8_18p1","SUDO_1_8_19","SUDO_1_8_19p1","SUDO_1_8_19p2","SUDO_1_8_2","SUDO_1_8_20","SUDO_1_8_20p1","SUDO_1_8_20p2","SUDO_1_8_21","SUDO_1_8_21p1","SUDO_1_8_21p2","SUDO_1_8_22","SUDO_1_8_23","SUDO_1_8_24","SUDO_1_8_25","SUDO_1_8_25p1","SUDO_1_8_26","SUDO_1_8_27","SUDO_1_8_28","SUDO_1_8_28p1","SUDO_1_8_29","SUDO_1_8_3","SUDO_1_8_30","SUDO_1_8_31","SUDO_1_8_31p1","SUDO_1_8_31p2","SUDO_1_8_32","SUDO_1_8_4","SUDO_1_8_4p1","SUDO_1_8_4p2","SUDO_1_8_4p3","SUDO_1_8_4p4","SUDO_1_8_4p5","SUDO_1_8_5","SUDO_1_8_5p1","SUDO_1_8_5p2","SUDO_1_8_5p3","SUDO_1_8_6","SUDO_1_8_6p1","SUDO_1_8_6p2","SUDO_1_8_6p3","SUDO_1_8_6p4","SUDO_1_8_6p5","SUDO_1_8_6p6","SUDO_1_8_6p7","SUDO_1_8_6p8","SUDO_1_8_7","SUDO_1_8_8","SUDO_1_8_9","SUDO_1_8_9p1","SUDO_1_8_9p2","SUDO_1_8_9p3","SUDO_1_8_9p4","SUDO_1_8_9p5","SUDO_1_9_0","SUDO_1_9_1","SUDO_1_9_10","SUDO_1_9_11","SUDO_1_9_11p1","SUDO_1_9_11p2","SUDO_1_9_11p3","SUDO_1_9_12","SUDO_1_9_12p1","SUDO_1_9_12p2","SUDO_1_9_2","SUDO_1_9_3","SUDO_1_9_3p1","SUDO_1_9_4","SUDO_1_9_4p1","SUDO_1_9_4p2","SUDO_1_9_5","SUDO_1_9_5p1","SUDO_1_9_5p2","SUDO_1_9_6","SUDO_1_9_6p1","SUDO_1_9_7","SUDO_1_9_7p1","SUDO_1_9_7p2","SUDO_1_9_8","SUDO_1_9_8p1","SUDO_1_9_8p2","SUDO_1_9_9","TAG","v1.3.0","v1.3.1","v1.4.0","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.6","v1.5.7","v1.5.8","v1.5.9","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.6.8p1","v1.7.0","v1.7.1","v1.7.10","v1.7.10p1","v1.7.10p2","v1.7.10p3","v1.7.10p4","v1.7.10p5","v1.7.10p6","v1.7.10p7","v1.7.10p8","v1.7.10p9","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.7","v1.7.8","v1.7.9","v1.7.9p1","v1.8.0","v1.8.1","v1.8.10","v1.8.10p1","v1.8.10p2","v1.8.10p3","v1.8.11","v1.8.11p1","v1.8.11p2","v1.8.12","v1.8.13","v1.8.14","v1.8.14p1","v1.8.14p3","v1.8.15","v1.8.16","v1.8.17","v1.8.17p1","v1.8.18","v1.8.18p1","v1.8.19","v1.8.19p1","v1.8.19p2","v1.8.2","v1.8.20","v1.8.20p1","v1.8.20p2","v1.8.21","v1.8.21p1","v1.8.21p2","v1.8.22","v1.8.23","v1.8.24","v1.8.25","v1.8.25p1","v1.8.26","v1.8.27","v1.8.28","v1.8.28p1","v1.8.29","v1.8.3","v1.8.30","v1.8.31","v1.8.31p1","v1.8.31p2","v1.8.32","v1.8.4","v1.8.4p1","v1.8.4p2","v1.8.4p3","v1.8.4p4","v1.8.4p5","v1.8.5","v1.8.5p1","v1.8.5p2","v1.8.5p3","v1.8.6","v1.8.6p1","v1.8.6p2","v1.8.6p3","v1.8.6p4","v1.8.6p5","v1.8.6p6","v1.8.6p7","v1.8.6p8","v1.8.7","v1.8.8","v1.8.9","v1.8.9p1","v1.8.9p2","v1.8.9p3","v1.8.9p4","v1.8.9p5","v1.9.0","v1.9.1","v1.9.10","v1.9.11","v1.9.11p1","v1.9.11p2","v1.9.11p3","v1.9.12","v1.9.12p1","v1.9.12p2","v1.9.2","v1.9.3","v1.9.3p1","v1.9.4","v1.9.4p1","v1.9.4p2","v1.9.5","v1.9.5p1","v1.9.5p2","v1.9.6","v1.9.6p1","v1.9.7","v1.9.7p1","v1.9.7p2","v1.9.8","v1.9.8p1","v1.9.8p2","v1.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28487.json","vanir_signatures":[{"digest":{"function_hash":"229369774424280178805318278907224419721","length":1493},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2023-28487-0c4fc12e","target":{"file":"plugins/sudoers/sudoreplay.c","function":"list_session"}},{"digest":{"threshold":0.9,"line_hashes":["12887639754874148520502753046394007252","62944566902382715355101543327417312361","27071161569768023308405698066271319330","13394220567081593476006334224345693906","243228231160196353840374475420665592802","20177373677433852621434283607555013823","46562408092224571220417877007408700566"]},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2023-28487-1d7ec19a","target":{"file":"include/sudo_lbuf.h"}},{"digest":{"function_hash":"117744953839383989958255480285609696630","length":1741},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2023-28487-48cba031","target":{"file":"plugins/sudoers/sudoreplay.c","function":"match_expr"}},{"digest":{"function_hash":"181724346309858919556891521782781830402","length":4739},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2023-28487-713dd463","target":{"file":"plugins/sudoers/sudoreplay.c","function":"main"}},{"digest":{"threshold":0.9,"line_hashes":["88561141825058651877754804628917490179","205709282098242392360851281985359208129","96832792239926761070943447314306522049","213060654868847572919553181536664660452","333909093857044282199338814806343288364","51793881837699632130089531126876243642","71047399382100625907376913950328726610","60975520160070519814888757028725569422","203115298431591787931170677543179011007","22681303034829771283572016665555912729","293163614450374067872999449736702599597","80823416557191237484603998615292444996","13490957000082345753442710983503960902","53633565712905496252490796197958929752","212215517506587210663428752869797728423","288348947633237594497128474506595947182","178924492585297524454398594365241767049","17088555687564705200448805883597512008","249476610963586517282689589725645693900","85215095900172957524726695989155111731","322761479524946293309307201836543333958","281972985078892481759339275825886977671","51747668364433138846297594333562983683","123459459502482816273626693964449562222","194358480440165532189112222576132690163","288348947633237594497128474506595947182","16148983680417285272657957262014898690","327270549485404132139375131069777385192","167565276299181495804641757456076708189","136579601357399195377658017533684002309","335161552473685647234378037910594834288","312007036072393481629089441542003443918","110511688030471787061135011374098825470"]},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2023-28487-8eb3a0ec","target":{"file":"lib/iolog/iolog_json.c"}},{"digest":{"threshold":0.9,"line_hashes":["20294921160201523554480765810867887145","73699963103081400850325532650832698679","61501406704020802837717534991881735104"]},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2023-28487-9d3d3444","target":{"file":"lib/util/lbuf.c"}},{"digest":{"function_hash":"289260589018902025477806793421579244812","length":2334},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2023-28487-adcfedf7","target":{"file":"lib/iolog/iolog_json.c","function":"iolog_parse_json_object"}},{"digest":{"function_hash":"37123049824665006123331254183765143803","length":6536},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2023-28487-c841d37e","target":{"file":"lib/eventlog/eventlog.c","function":"new_logline"}},{"digest":{"function_hash":"221424393065734271445815024745587574853","length":2152},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2023-28487-c9c47705","target":{"file":"plugins/sudoers/sudoreplay.c","function":"find_sessions"}},{"digest":{"threshold":0.9,"line_hashes":["79938060020032550669334080656305780240","104622220315921361408042702109097276637","163551480692929259963307445623762367121","60470986352705334787812809597078772831","205233607313178758780538877011108671082","302822651496930445499020761665014421669","331409663864336133191768975247560731270","306155813448311569706209685520731385720","325609853416732186869357447461731350842","227361307088977682724717347689877281233","169921018407105751837594308609829423936","55459226748201153693877193121956995239","242345830000190253040149832685637086735","163927875732252693599467900340657688430","285430722743882785732477352061419871770","317275689551294905195292139587576273233","319987802383151496908004466681611219052","248499098863944273606438750000441240488","30206825801222983501611401874234202900","100057143632707043411208230318939401011","184985575929687687356305671383586710721","217546073998253128409470366200234969075","272630918858788579305872844886152835212","65655941768865015638566776347436148082","110258015299414721107572706220174682915","221743744659451200398388230972507568201","273064369391405228075911802571294294277","272729383302472681980465664244539560408","226369709833654011711206794209016559511","150557451949978199703088038454219142989","167766646525065510121132609929252900369","206818684876607287556420172279655734625","130648503039177147469008435370966078291","331423256326660860944531273477917423221","9252130110509651116107762208088444153","54325242330328283311263790554602230743","91176435971745653091389538647633594226","40584989028629366120175000297821806232","78464632945365626626130285305479228737","121367910824853255631103645525463488088","132791601117407536681466446521723485590","174185228029422269582383897268397375268","72851396292071905296783532262151296361","79685283249498663060956452425550977966","169280456907925778310450029244459826901","331208191390733745698507694068388291466","18843189556522226778778859701176714912","318239804915552232334204479747798067803","76262873083715911003128427819213780861","240099543013059359133481911275833067339","9287202851940666149804456678655398489","321319063238615019356143658696940907040","325535339717564207112825057365647713832","214202059266939707568862648371458935913","118272724948898658421600468032815966550","81743000196074522344673909526808326561","145541086334160033779857184584769188687","61963290662897870071390438151309870015","256071822667253756915629845443285640666","105546259740745656875837291297604570120","146673393641018798618317828119352583573","339508306976086730307027743045510365276","21469540368364074688754254712945700663","61067150532507238347069811694707343003","23385135017299042150457619877187207178","333724714077886009068403676561890277350","258249569805793860360449699695505684226","25699464082482336087024733791881421512"]},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2023-28487-d2ffbb56","target":{"file":"plugins/sudoers/sudoreplay.c"}},{"digest":{"threshold":0.9,"line_hashes":["30829567441753039279457075010492954997","172021069468974335229812762823337476245","329035798817904485017714781776452164411","122505940478587134283819311857456581809","24036062319037983999733182164933148122","101044055946130415736500685302278253920","285346383237997832207792581232890673501","170780677828826633624309697707272659036","264897052502409779011914456744118112611","37680873387100121364331059049582484325","229739713821178125661553588221898823783","240540883892228765996470986419175620436","85584427835132742112981341772474842945","133901044771315379836262058356084045655","214159242724348606587548824729869568928","113556430637237165998963527516859336245","156617949189599673437999773466218442804","43047590198142729458421722873024467121","9459426474483519688632493904202123370","224186434470857001306013097736039870608","254942329513642551583469570654714274150","78929108581487038110071353459103435902","319402537963755531282286401608888559323","131989409393210350405161703303214063243","305847330618998460700945958370959471014","92492736796608390948121179200664523681","188320566635992327735461509943419153702","95263505349127957940834689939562526028","166752416410685616950027367457370159275","337555429325860950748759202967477586117","277388989270421287195304231205945339375","311175447685264820865077258879897404038","177706900823535722688949711716111308378","48343993626544353351856952112315324523","59085258384168734411043703916660242059","40382788326977769812135258048998280390","136265654362617243786290836988588828771","175207820399120319665578221258603640459","332806016411120083976127076291411565255","35173738979115096670580758945338212810","303794248929240002042279650289702964303","284046743711014559778592062619145040173","90101086192999960992648199367512975966","125593390789236877395234934188209921214","273435572839131556485734798834589297318","91037989438645720326176956666475356598","140070656139325480459787478684093864524","254890473401760226179436322221973835497","274528534088188931232181839953028912952","249859362303484077571900794707482872001","44941650846224644125207125230276384421","54877591393198952344923063210963681312","124343687221614709020763000723379913460","177916020802187920070732085459671030511","88582008111439008977787411946426787868","237231048687982379659405150474096512991","13196549290380393750535523906398831042","188389717842974508440195583171345668084","302815256170191217187227783715713325292","319893902004439102367009146099180750122","277012779410107586922979646337608802014","182620028282464050863266985434056125839","106286249873879194590378351044324356798","180823641308839489520382851695083642761","319741192355990315197107940051819285827","209646334667419312552666372566747654674","194126305518558396552092799244629578505","265735662323193274955297665224890016941","260945286047961212095571950759757496611","72632307916411367845722057242663756357","95608571732217333104217909885921878648","19061622311528627876499898853946811024","74803312739527283686465934911368305084","115492191811612462318467908327173883656","292409212153795760796928239510263598548","244096941117297739634185850137524374401","9360735720621287007007306702902049815","76948199687682789365446644227419699003","92848073334322986627606898685156020270","121427524810380026092675709350155949630","179874262026414756533560456239836221222","215439581924107827587091762513306856436","56411015526412569540739060173247318272","142415772657130098312827715761594905681","71707391045837859736352094712133495798","259662016248845712530245768492847786271","96864765436247372828392861231789800482","154622945500175911532662991633858788378","66891853155633328305289805303630223021","112964790100188168288716534633816674905","142324442656647980462014319042241155030","213410423685154344069861992543376482517","278550674011030207916373755335398798232","109007855110839966824450532641739577804","151516566576455706349792098478584961360","245820389257229897599605796117351438840","133203680917106341488269515677696302635","249617113318669646440013788606160770563","165923656351055655748131968473566313833","230744745281654637090196049036600627610","42531362148378433430658996942977021974","75259373983585584543866615368577701551","198156145007465302486619762746445486430","161754478303173399331102312169980974987","93726953981616017873186453620698999098","324322132530677908745202902013437187245","192084730532214012513706070680299582338","55462191770485792262022213342826726029","174529830268960112436365988300037890265","328036488344806134467639945082214687153","7370760247107881511370473326153393418","325282815742907818131401448083022120409","58664179599188939843460576246205265565","220364303503514949640203321482788995431","130469774933221518942281964626577108620","81221890116586618295885727803425720015","228966442349655011310576183486179813686","43221600822275956686817322478834900517","139028481580357834924908310213874320605","146679191337036681563509625088677680213","339377293597413030042481333151002444780","106794402905271637900839192919445848537","146113817368483289248051975586802961346","65513835383927388539906200731829030688","212530876360349395158104773997376917047","163106111313240373567931291129053138950","287029547144251967238314977657474755832","330888901681076426466880103830124779333","292430427543451122116339603958277830228","75000511757599351384689618485600251241","203654273727256440277712436028840261481","230139203109376317149407410413883166514","118777588781020122457259913932944853792","233232951518760562696690519945173119825","201958358849449964179897964992907129754","130990324308280237319962473798456132346","105761729910849391016030807649195288105","148255864893519267390886415490999933950","325495963665416190567404595333251377510","314033995325508933640165199480046627237","209537086515389493350690293583262327698","336638940344232576748879325555018675295","290195650426669229972631794666852882697","316869846325139134482197498396040947241","98978685999047704260859901809658601436","66713046972866171141666793448592911937","70951605814537274226637448056123243999","73045283482278233723603724305529468197","720907170848882467705951804579368412","226330843417486150718958423314200243673","85144265477076689970926204960836968161","314206670183415726373366894898938001149","172619242598087600524357852643014180853","95735506433390110201943194434443674531","211508082821721872042131888954439020456","14820181320432517809550812990812098366","106575764043889430725523991693679123277","146798220457495541474831224980364084352","58343409377693221464216214816153043745","171414871098417147096774123239360254997","291092557268477884104388153207884660786","32241306396798427306414738535930101516","231643974046669062997503464257060974385","240371940621273824718247138934059357368","184806936220531504658098381513659197731","81919277886666188488480283812292067444","149377358225375140122497145260569518104","265435439802591273091925961586711629575","157726979914407471226180482242918013324","66556945124345588738961021758831303356","207042117223902267080839941051962273975","74099799669146619617408681253079733253","141337891528981270783627667510716406451","57841797452775091847200188806983454974","176201283758975074946037650289294166513","53897784563193873017375327121188859185","138842211895113693805081800291293443999","150571077837334685473369971380323531529","85572648938815739982053939953195607467","197776950827311891957078295925340475382","141106767238843248766991195816143251449","247907712445775656169159254046884615456","319632202802450905272038994701258323433","296266009731088054802293654036564218745","80843244448872150281947923974883503885","116331513714392116236572826868808020391","295962421347268420065842550415190149939","82040104080902747463805723425594009265","317880321661169542885238195610237209337"]},"source":"https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2023-28487-df87ce9c","target":{"file":"lib/eventlog/eventlog.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}