CPANSA-Encode-2021-01: Encode vulnerability
| Publisher |
giterlizzi |
Document category |
csaf_security_advisory |
| Initial release date |
2021-07-17T00:00:00 |
Engine |
CSAF Perl Toolkit 0.25 |
| Current release date |
2021-07-17T00:00:00 |
Build Date |
|
| Current version |
1 |
Status |
final |
| CVSS v3.1 Base Score |
7.8
|
Severity |
|
| Original language |
|
Language |
en |
| Also referred to |
|
Vulnerability Description
Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.
Vulnerabilities
CVE-2021-36770
Vulnerability DescriptionEncode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.
| Weakness |
CWE-427 : Uncontrolled Search Path Element
|
Product status
Known affected
| Product |
Score |
| Encode greater than or equal 3.05 |
|
| Encode less than or equal 3.11 |
|
Fixed
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
Revision history
| Version |
Date of the revision |
Summary of the revision |
| 1 |
Sat Jul 17 00:00:00 2021 |
First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/