Local privilege escalation in Perl's Encode module affecting multiple versions
CVE-2021-36770

7.8HIGH

Key Information:

Vendor

P5-encode Project

Status
P5-encode
Vendor
CVE Published:
11 August 2021

What is CVE-2021-36770?

The Encode.pm module, included with Perl distributions from version 5.34.0, presents a security risk that allows local users to escalate their privileges. This vulnerability arises due to the loading of a malicious Encode::ConfigLocal library from the current working directory, circumventing dynamic module loading. This exploit relies on specific configurations and affects certain versions of Encode.pm (3.05–3.11). A critical flaw occurs because the || operator processes @INC in a scalar context, reducing its intended functionality to an integer value.

References

https://metacpan.org/dist/Encode/changes
x_refsource_CONFIRM
https://security-tracker.debian.org/tracker/CVE-2021-36770
x_refsource_MISC
https://github.com/dankogai/p5-encode/commit/527e482dc70b...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2021-36770 : Local privilege escalation in Perl's Encode module affecting multiple versions