CVE-2021-36770
First published: Wed Aug 11 2021(Updated: )
Encode could allow a local authenticated attacker to gain elevated privileges on the system, caused by an untrusted search path flaw. By using a specially-crafted Encode::ConfigLocal library, an attacker could exploit this vulnerability to gain elevated privileges.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| P5-encode Project P5-encode | >=3.05<3.12 | |
| Perl Perl | <=5.34.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =33 | |
| IBM Cognos Analytics | <=12.0.0-12.0.2 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
| debian/libencode-perl | 3.08-1+deb11u2 3.08-1+deb11u1 3.19-1 3.21-1 | |
| debian/perl | 5.32.1-4+deb11u3 5.32.1-4+deb11u1 5.36.0-7+deb12u1 5.38.2-5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/dankogai/p5-encode/commit/9c5f5a307863b66da3701f6c7d13139aa20179b8
- https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74
- https://github.com/Perl/perl5/commit/8ced1423dbb2a874f2d95e9c5c4c46960c2bf318
- https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9
- https://security-tracker.debian.org/tracker/CVE-2021-36770
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
- https://metacpan.org/dist/Encode/changes
- https://news.cpanel.com/unscheduled-tsr-10-august-2021/
- https://security.netapp.com/advisory/ntap-20210909-0003/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/207932
- https://www.ibm.com/support/pages/node/7156941 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/
Frequently Asked Questions
What is CVE-2021-36770?
CVE-2021-36770 is a vulnerability in Perl through 5.34.0 that allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library.
How can local users exploit CVE-2021-36770?
Local users can exploit CVE-2021-36770 by placing a specially crafted Encode::ConfigLocal library in the current working directory to preempts dynamic module loading.
Which versions of Perl and libencode-perl are affected by CVE-2021-36770?
Versions 3.00-1+deb10u1, 3.08-1+deb11u2, 3.08-1+deb11u1, 3.19-1 of libencode-perl and versions 5.28.1-6+deb10u1, 5.32.1-4+deb11u2, 5.32.1-4+deb11u1, 5.36.0-7, 5.36.0-9 of Perl are affected by CVE-2021-36770.
What is the severity of CVE-2021-36770?
CVE-2021-36770 has a severity rating of 7.8 (high).
How can I mitigate the vulnerability CVE-2021-36770?
To mitigate CVE-2021-36770, it is recommended to update to the fixed versions of Perl (above 5.36.0-9) and libencode-perl (above 3.19-1).
- collector/nvd-index
- agent/type
- agent/remedy
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/p5-encode project
- canonical/p5-encode project p5-encode
- version/p5-encode project p5-encode/3.05
- vendor/perl
- canonical/perl perl
- version/perl perl/5.34.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/33
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.2
- version/ibm cognos analytics/11.2.0-11.2.4 fp3
- package-manager/debian