Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-36770


Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.


Published

2021-08-11T23:15:07.707

Last Modified

2024-11-21T06:14:03.590

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-427

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application p5-encode_project p5-encode < 3.12 Yes
Application perl perl ≤ 5.34.0 No
Operating System fedoraproject fedora 34 Yes
Operating System fedoraproject fedora 33 Yes

References