Integer Overflow or Wraparound

Affecting glibc package, versions *

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package.

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

Remediation

There is no fixed version for Debian:9 glibc.

References

CVSS Score

9.1
critical severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE
CVE-2021-35942
CWE
CWE-190
Snyk ID
SNYK-DEBIAN9-GLIBC-1315336
Disclosed
22 Jul, 2021
Published
01 Jul, 2021