Vulnerability Details : CVE-2021-35942
The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2021-35942
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- Netapp » E-series Santricity Os ControllerVersions from including (>=) 11.0 and up to, including, (<=) 11.70.1cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-35942
1.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-35942
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2021-35942
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-35942
-
https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c
sourceware.org Git - glibc.git/commitMailing List;Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20210827-0005/
CVE-2021-35942 GNU C Library (glibc) Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://sourceware.org/glibc/wiki/Security%20Exceptions
Security Exceptions - glibc wikiVendor Advisory
-
https://sourceware.org/bugzilla/show_bug.cgi?id=28011
28011 – (CVE-2021-35942) Wild read in wordexp (parse_param) (CVE-2021-35942)Issue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
[SECURITY] [DLA 3152-1] glibc security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202208-24
GNU C Library: Multiple Vulnerabilities (GLSA 202208-24) — Gentoo securityThird Party Advisory
Jump to