Lucene search

MitreCVE-2021-35942

HistoryJul 22, 2021 - 6:15 p.m.

CVE-2021-35942

2021-07-2218:15:23

CWE-190

mitre

web.nvd.nist.gov

284

cve-2021-35942

glibc

wordexp function

denial of service

disclosure of information

atoi

strtoul

nvd

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

9.4

Confidence

High

EPSS

0.016

Percentile

87.6%

JSON

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

Affected configurations

Nvd

Node

gnuglibcRange<2.32

Node

netappactive_iq_unified_managerMatch-vmware_vsphere

netappe-series_santricity_os_controllerRange11.0–11.70.1

netapphci_management_nodeMatch-

netappontap_select_deploy_administration_utilityMatch-

netappsolidfireMatch-

Node

debiandebian_linuxMatch10.0

VendorProductVersionCPE
gnuglibc*cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
netappe-series_santricity_os_controller*cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
netapphci_management_node-cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
netappontap_select_deploy_administration_utility-cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
netappsolidfire-cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gnu	glibc	*	cpe:2.3:a:gnu:glibc::::::::
netapp	active_iq_unified_manager	-	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
netapp	e-series_santricity_os_controller	*	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
netapp	hci_management_node	-	cpe:2.3:a:netapp:hci_management_node:-:::::::*
netapp	ontap_select_deploy_administration_utility	-	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
netapp	solidfire	-	cpe:2.3:a:netapp:solidfire:-:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*