A flaw in exists in sudo’s -e option (aka sudoedit) that allows a malicious user with sudoedit privileges to edit arbitrary files.
Sudo versions affected: Sudo versions 1.8.0 through 1.9.12p1 inclusive are affected. Versions of sudo prior to 1.8.0 construct the argument vector differently and are not affected.
CVE ID: This vulnerability has been assigned CVE-2023-22809 in the Common Vulnerabilities and Exposures database.
Details: When invoked as sudo -e or sudoedit, sudo can be used to edit privileged files while running the editor as an unprivileged user.
A PoC exploit for CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document, is now publicly available.
