CVE-2021-36770

HIGH

P5-encode < 3.12 - Uncontrolled Search Path

Title source: rule

Description

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.

References (9)

[Patch, Third Party Advisory] https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9

[Patch, Third Party Advisory] https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74

[Third Party Advisory] https://metacpan.org/dist/Encode/changes

[Third Party Advisory] https://news.cpanel.com/unscheduled-tsr-10-august-2021/

[Third Party Advisory] https://security-tracker.debian.org/tracker/CVE-2021-36770

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210909-0003/

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20241108-0002/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/

Scores

CVSS v3 7.8

EPSS 0.0011

EPSS Percentile 29.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (3)

p5-encode_project/p5-encode < 3.12

fedoraproject/fedora

fedoraproject/fedora

Timeline

Published Aug 11, 2021

Tracked Since Feb 18, 2026