Search for vulnerabilities
Vulnerability details: VCID-x6nw-5wtg-aaaa
Vulnerability ID VCID-x6nw-5wtg-aaaa
Aliases CVE-2021-36770
Summary Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-427 Uncontrolled Search Path Element
CWE-426 Untrusted Search Path
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-36770.html
cvssv3 7.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-36770.json
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00192 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
epss 0.01137 https://api.first.org/data/v1/epss?cve=CVE-2021-36770
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=1983786
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770
cvssv3.1 8.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2021-36770
cvssv3 7.8 https://nvd.nist.gov/vuln/detail/CVE-2021-36770
cvssv3.1 7.8 https://nvd.nist.gov/vuln/detail/CVE-2021-36770
archlinux Medium https://security.archlinux.org/AVG-2264
generic_textual Medium https://ubuntu.com/security/notices/USN-5033-1
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-36770.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-36770.json
https://api.first.org/data/v1/epss?cve=CVE-2021-36770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74
https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
https://metacpan.org/dist/Encode/changes
https://news.cpanel.com/unscheduled-tsr-10-august-2021/
https://security.netapp.com/advisory/ntap-20210909-0003/
https://security-tracker.debian.org/tracker/CVE-2021-36770
https://ubuntu.com/security/notices/USN-5033-1
1983786 https://bugzilla.redhat.com/show_bug.cgi?id=1983786
AVG-2264 https://security.archlinux.org/AVG-2264
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
CVE-2021-36770 https://nvd.nist.gov/vuln/detail/CVE-2021-36770
GLSA-202411-09 https://security.gentoo.org/glsa/202411-09
USN-5033-1 https://usn.ubuntu.com/5033-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-36770.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-36770
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-36770
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-36770
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.38685
EPSS Score 0.00088
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.