Lucene search

PRIOn knowledge basePRION:CVE-2021-36770

HistoryAug 11, 2021 - 11:15 p.m.

Design/Logic Flaw

2021-08-1123:15:00

PRIOn knowledge base

www.prio-n.com

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.1%

JSON

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.

CPENameOperatorVersion
fedoraeq34
fedoraeq33
p5-encodege3.05
p5-encodelt3.12

Name	Operator	Version
fedora	eq	34
fedora	eq	33
p5-encode	ge	3.05
p5-encode	lt	3.12

References

github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74

github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9

lists.fedoraproject.org/archives/list/[email protected]/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/

lists.fedoraproject.org/archives/list/[email protected]/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/

metacpan.org/dist/Encode/changes

news.cpanel.com/unscheduled-tsr-10-august-2021/

security-tracker.debian.org/tracker/CVE-2021-36770

security.netapp.com/advisory/ntap-20210909-0003/