CVE-2021-36770
HIGHp5-encode 3.05-3.11 - Uncontrolled Search Path Element via Encode::ConfigLocal Library
Title source: llmDescription
Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.
References (9)
Core 9
Core References
Third Party Advisory x_refsource_confirm
https://metacpan.org/dist/Encode/changes
Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2021-36770
Patch, Third Party Advisory x_refsource_confirm
https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74
Patch, Third Party Advisory x_refsource_confirm
https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9
Third Party Advisory x_refsource_confirm
https://news.cpanel.com/unscheduled-tsr-10-august-2021/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210909-0003/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241108-0002/
Scores
CVSS v3
7.8
EPSS
0.0011
EPSS Percentile
28.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-427
Status
published
Products (3)
fedoraproject/fedora
34
fedoraproject/fedora
33
p5-encode_project/p5-encode
3.05 - 3.12
Published
Aug 11, 2021
Tracked Since
Feb 18, 2026