CVE-2021-35942
Severity CVSS v4.0:
Pending analysis
Type:
CWE-190
Integer Overflow or Wraparound
Publication date:
22/07/2021
Last modified:
01/05/2025
Description
The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Base Score 2.0
6.40
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* | 2.31 (excluding) | |
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* | ||
| cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* | 11.0 (including) | 11.70.1 (including) |
| cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
- https://security.gentoo.org/glsa/202208-24
- https://security.netapp.com/advisory/ntap-20210827-0005/
- https://sourceware.org/bugzilla/show_bug.cgi?id=28011
- https://sourceware.org/git/?p=glibc.git%3Ba%3Dcommit%3Bh%3D5adda61f62b77384718b4c0d8336ade8f2b4b35c
- https://sourceware.org/glibc/wiki/Security%20Exceptions
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
- https://security.gentoo.org/glsa/202208-24
- https://security.netapp.com/advisory/ntap-20210827-0005/
- https://sourceware.org/bugzilla/show_bug.cgi?id=28011
- https://sourceware.org/git/?p=glibc.git%3Ba%3Dcommit%3Bh%3D5adda61f62b77384718b4c0d8336ade8f2b4b35c
- https://sourceware.org/glibc/wiki/Security%20Exceptions