Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-4911
HistoryOct 03, 2023 - 12:00 a.m.

CVE-2023-4911

2023-10-0300:00:00
ubuntu.com
ubuntu.com
32
buffer overflow
gnu c library
local attacker
privilege escalation
suid binaries
cve-2023-4911

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.4%

A buffer overflow was discovered in the GNU C Library’s dynamic loader
ld.so while processing the GLIBC_TUNABLES environment variable. This issue
could allow a local attacker to use maliciously crafted GLIBC_TUNABLES
environment variables when launching binaries with SUID permission to
execute code with elevated privileges.

Notes

Author Note
Priority reason: Local privilege escalation in a package that is installed on all Ubuntu instances.
alexmurray Upstream advisory states this was introduced in April 2021 (glibc 2.34) by commit 2ed18c5b534d9e92fc006202a5af0df6b72e7aca
OSVersionArchitecturePackageVersionFilename
ubuntu22.04noarchglibc< 2.35-0ubuntu3.4UNKNOWN
ubuntu23.04noarchglibc< 2.37-0ubuntu2.1UNKNOWN
ubuntu23.10noarchglibc< 2.38-1ubuntu6UNKNOWN
ubuntu24.04noarchglibc< 2.38-1ubuntu6UNKNOWN

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.4%