CVE-2022-39046

CWE-532Log File Information ExposureCWE-20Improper Input Validation6 documents6 sources
Severity
5.3MEDIUM
EPSS
0.7%
top 28.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Glibc
Timeline
PublishedAug 31
Latest updateSep 1

Description

An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Ubuntuglibc< 2.27-3ubuntu1.6+2
NVDgnu/glibc2.36

🔴Vulnerability Details

3
GHSA
GHSA-f6rj-qrpf-jc34: An issue was discovered in the GNU C Library (glibc) 22022-09-01
CVEList
CVE-2022-39046: An issue was discovered in the GNU C Library (glibc) 22022-08-31
OSV
CVE-2022-39046: An issue was discovered in the GNU C Library (glibc) 22022-08-31

📋Vendor Advisories

2
Red Hat
glibc: a crafted input may allow information disclosure2022-08-31
Debian
CVE-2022-39046: glibc - An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog funct...2022
CVE-2022-39046 (MEDIUM CVSS 5.3) | An issue was discovered in the GNU | cvebase.io