CVE-2014-7817 — Improper Input Validation in Glibc

CWE-20 — Improper Input Validation CWE-440 — Expected Behavior Violation9 documents8 sources

Severity

4.6MEDIUMNVD

EPSS

0.2%

top 63.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc Canonical Ubuntu Linux Debian Linux +1 more

Timeline

PublishedNov 24

Latest updateMay 14

Description

The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

CVSS vector

AV:L/AC:L/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages3 packages

▶Debiangnu/glibc< 2.19-14+3

▶NVDgnu/glibc2.21

▶NVDopensuse/opensuse13.1, 13.2+1

Also affects: Debian Linux 7.0, Ubuntu Linux 10.04, 12.04, 14.04, 14.10

🔴Vulnerability Details

GHSA

GHSA-47cv-pfmg-555j: The wordexp function in GNU C Library (aka glibc) 2↗2022-05-14

▶

CVEList

CVE-2014-7817: The wordexp function in GNU C Library (aka glibc) 2↗2014-11-24

▶

OSV

CVE-2014-7817: The wordexp function in GNU C Library (aka glibc) 2↗2014-11-24

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2014-12-03

▶

Red Hat

glibc: command execution in wordexp() with WRDE_NOCMD specified↗2014-11-20

▶

Debian

CVE-2014-7817: glibc - The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE...↗2014

▶

💬Community

Bugzilla

CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified [fedora-all]↗2014-11-25

▶

Bugzilla

CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified↗2014-10-27

▶