CVE-2011-1095

2011-04-1002:55:00

CWE-264

[email protected]

web.nvd.nist.gov

cve-2011-1095

glibc

libc6

privilege escalation

environment variable

security vulnerability

7.5 High

AI Score

Confidence

High

6.2 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:H/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

9.3%

JSON

locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.

CPENameOperatorVersion
gnu:glibcgnu glibceq2.2.2
gnu:glibcgnu glibceq2.9
gnu:glibcgnu glibceq2.7
gnu:glibcgnu glibceq2.1.2
gnu:glibcgnu glibceq2.11
gnu:glibcgnu glibceq2.0.5
gnu:glibcgnu glibceq2.2.5
gnu:glibcgnu glibceq2.0.6
gnu:glibcgnu glibceq2.10.1
gnu:glibcgnu glibceq1.00

CPE	Name	Operator	Version
gnu:glibc	gnu glibc	eq	2.2.2
gnu:glibc	gnu glibc	eq	2.9
gnu:glibc	gnu glibc	eq	2.7
gnu:glibc	gnu glibc	eq	2.1.2
gnu:glibc	gnu glibc	eq	2.11
gnu:glibc	gnu glibc	eq	2.0.5
gnu:glibc	gnu glibc	eq	2.2.5
gnu:glibc	gnu glibc	eq	2.0.6
gnu:glibc	gnu glibc	eq	2.10.1
gnu:glibc	gnu glibc	eq	1.00