CVE-2021-35942
EUVD-2021-2257722.07.2021, 18:15
The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| gnu | glibc | 𝑥 < 2.31 |
| netapp | active_iq_unified_manager | - |
| netapp | e-series_santricity_os_controller | 11.0 ≤ 𝑥 ≤ 11.70.1 |
| netapp | hci_management_node | - |
| netapp | ontap_select_deploy_administration_utility | - |
| netapp | solidfire | - |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| eglibc |
| ||||||||||||||||||||||||
| glibc |
|
Common Weakness Enumeration
- CWE-190 - Integer Overflow or WraparoundThe software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
- CWE-704 - Incorrect Type Conversion or CastThe software does not correctly convert an object, resource, or structure from one type to a different type.
References