{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46717", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-28T20:56:09.083Z", "datePublished": "2025-05-12T14:52:55.408Z", "dateUpdated": "2025-05-12T22:06:55.312Z"}, "containers": {"cna": {"title": "sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders", "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "lang": "en", "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f"}, {"name": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6"}], "affected": [{"vendor": "trifectatechfoundation", "product": "sudo-rs", "versions": [{"version": "< 0.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-12T14:52:55.408Z"}, "descriptions": [{"lang": "en", "value": "sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability."}], "source": {"advisory": "GHSA-98cv-wqjx-wx8f", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-12T21:46:20.352795Z", "id": "CVE-2025-46717", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-12T22:06:55.312Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46717", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-12T21:46:20.352795Z"}}}], "references": [{"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-12T21:46:30.657Z"}}], "cna": {"title": "sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders", "source": {"advisory": "GHSA-98cv-wqjx-wx8f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "trifectatechfoundation", "product": "sudo-rs", "versions": [{"status": "affected", "version": "< 0.2.6"}]}], "references": [{"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f", "name": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6", "name": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-12T14:52:55.408Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46717", "state": "PUBLISHED", "dateUpdated": "2025-05-12T22:06:55.312Z", "dateReserved": "2025-04-28T20:56:09.083Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-12T14:52:55.408Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trifectatech:sudo:*:*:*:*:*:rust:*:*", "matchCriteriaId": "FC98CE22-CA46-419B-ACDE-21E0AC76561B", "versionEndExcluding": "0.2.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability."}, {"lang": "es", "value": "sudo-rs es una implementaci\u00f3n de sudo y su con memoria segura, escrita en Rust. Antes de la versi\u00f3n 0.2.6, los usuarios sin privilegios de sudo (o con privilegios muy limitados) pod\u00edan determinar si exist\u00edan archivos en carpetas a las que de otro modo no podr\u00edan acceder mediante `sudo --list `. Los usuarios con acceso local a una m\u00e1quina pueden descubrir la existencia o inexistencia de ciertos archivos, revelando informaci\u00f3n potencialmente sensible en sus nombres. Esta informaci\u00f3n tambi\u00e9n puede utilizarse en combinaci\u00f3n con otros ataques. La versi\u00f3n 0.2.6 corrige esta vulnerabilidad."}], "id": "CVE-2025-46717", "lastModified": "2025-07-09T01:51:08.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-12T15:16:01.260", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-98cv-wqjx-wx8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}