Vulnerability Details : CVE-2021-3800
Potential exploit
A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
Vulnerability category: Information leak
Products affected by CVE-2021-3800
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3800
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3800
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-3800
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: secalert@redhat.com (Primary)
-
The product makes files or directories accessible to unauthorized actors, even though they should not be.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2021-3800
-
https://gitlab.gnome.org/GNOME/glib/-/commit/3529bb4450a51995
libcharset: Drop a redundant environment variable (3529bb44) · Commits · GNOME / GLib · GitLabPatch;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20221028-0004/
CVE-2021-3800 GNOME GLib Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://access.redhat.com/security/cve/CVE-2021-3800
CVE-2021-3800- Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1938284
1938284 – (CVE-2021-3800) CVE-2021-3800 glib2: Possible privilege escalation thourgh pkexec and aliasesIssue Tracking;Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/09/msg00020.html
[SECURITY] [DLA 3110-1] glib2.0 security updateMailing List;Third Party Advisory
-
https://www.openwall.com/lists/oss-security/2017/06/23/8
oss-security - charset.alias in pkexec/glib/gnulib (was: glibc locale issues)Exploit;Mailing List;Patch;Third Party Advisory
Jump to