7.8

CVE-2021-36770

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
P5-encode ProjectP5-encode Version >= 3.05 < 3.12
   PerlPerl Version <= 5.34.0
FedoraprojectFedora Version34
FedoraprojectFedora Version33
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.4% 0.689
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9
Patch
Third Party Advisory
https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
https://metacpan.org/dist/Encode/changes
Third Party Advisory
https://news.cpanel.com/unscheduled-tsr-10-august-2021/
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-36770
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210909-0003/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20241108-0002/