CVE-2021-3800 — Sensitive Information Exposure in Glib

CWE-200 — Sensitive Information Exposure CWE-552 — Files or Directories Accessible to External Parties CWE-838 — Inappropriate Encoding for Output Context8 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 80.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Glib Debian Linux

Timeline

PublishedAug 23

Latest updateAug 24

Description

A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDgnome/glib2.63.0 — 2.63.6+1

▶CVEListV5gnome/glibFixed in glib2 2.63.6

Also affects: Debian Linux 10.0

Patches

Patch: bugzilla.redhat.com ↗Patch: gitlab.gnome.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-58w9-h6f7-f979: A flaw was found in glib before version 2↗2022-08-24

▶

CVEList

CVE-2021-3800: A flaw was found in glib before version 2↗2022-08-23

▶

OSV

CVE-2021-3800: A flaw was found in glib before version 2↗2022-08-23

▶

📋Vendor Advisories

Microsoft

A flaw was found in glib before version 2.63.6. Due to random charset alias pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.↗2022-08-09

▶

Ubuntu

GLib vulnerability↗2021-12-13

▶

Red Hat

glib2: Possible privilege escalation thourgh pkexec and aliases↗2021-03-04

▶

Debian

CVE-2021-3800: glib2.0 - A flaw was found in glib before version 2.63.6. Due to random charset alias, pke...↗2021

▶