CVE-2023-7090: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in sudo (CVE-2023-7090) related to the handling of ipa_hostname from /etc/sssd/sssd.conf. The flaw was found in versions prior to 1.8.28, where ipa_hostname was not properly propagated in sudo. This vulnerability was disclosed on December 23, 2023, and affects sudo installations where the ipa_hostname configuration is used (NVD, Debian Security).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H by NIST. Red Hat has alternatively assessed it with a CVSS score of 6.6 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-269 (Improper Privilege Management) (NVD).

When exploited, this vulnerability allows client hosts to retain privileges even after they have been retracted, leading to a privilege mismanagement condition. This could potentially result in unauthorized access and privilege escalation scenarios (NetApp Security).

The vulnerability has been fixed in sudo version 1.8.28 and later releases. Organizations are advised to upgrade their sudo installations to version 1.8.28 or newer to address this security issue. Various vendors have released patches for their affected products, including Debian which has released version 1.8.27-1+deb10u6 for Debian 10 (Debian LTS).