CVE-2011-1095 — Glibc vulnerability

CWE-2648 documents8 sources

Severity

6.2MEDIUMNVD

EPSS

0.1%

top 75.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc

Timeline

PublishedApr 10

Latest updateMay 14

Description

locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.

CVSS vector

AV:L/AC:H/C:C/I:C/A:CExploitability: 1.9 | Impact: 10.0

Affected Packages2 packages

▶Debiangnu/glibc< 2.13-16+3

▶NVDgnu/glibc2.12.2+56

Patches

Patch: bugs.gentoo.org ↗Patch: openwall.com ↗Patch: openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-hhjf-9w4x-vhhf: locale/programs/locale↗2022-05-14

▶

OSV

CVE-2011-1095: locale/programs/locale↗2011-04-10

▶

CVEList

CVE-2011-1095: locale/programs/locale↗2011-04-10

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2012-03-09

▶

Debian

CVE-2011-1095: glibc - locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) bef...↗2011

▶

Red Hat

glibc: insufficient quoting in the locale command output↗2010-08-11

▶

💬Community

Bugzilla

CVE-2011-1095 glibc: insufficient quoting in the locale command output↗2010-08-20

▶