{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-12-07T00:00:00", "descriptions": [{"lang": "en", "value": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-18T14:06:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "42547", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42547"}, {"name": "1024832", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1024832"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"name": "VU#912279", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/912279"}, {"name": "45233", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/45233"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"name": "15935", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/15935"}, {"name": "8003", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/8003"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["third-party-advisory", "x_refsource_SREASONRES"], "url": "http://securityreason.com/achievement_securityalert/93"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}, {"name": "[guacamole-issues] 20210618 [jira] [Created] (GUACAMOLE-1368) Latest docker image fails security scans.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-4051", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "42547", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42547"}, {"name": "1024832", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1024832"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"name": "VU#912279", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/912279"}, {"name": "45233", "refsource": "BID", "url": "http://www.securityfocus.com/bid/45233"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"name": "http://cxib.net/stuff/proftpd.gnu.c", "refsource": "MISC", "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"name": "15935", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/15935"}, {"name": "8003", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/8003"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "refsource": "SREASONRES", "url": "http://securityreason.com/achievement_securityalert/93"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=645859", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}, {"name": "[guacamole-issues] 20210618 [jira] [Created] (GUACAMOLE-1368) Latest docker image fails security scans.", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T03:34:37.117Z"}, "title": "CVE Program Container", "references": [{"name": "42547", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/42547"}, {"name": "1024832", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1024832"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"name": "VU#912279", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/912279"}, {"name": "45233", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/45233"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"name": "15935", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/15935"}, {"name": "8003", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/8003"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["third-party-advisory", "x_refsource_SREASONRES", "x_transferred"], "url": "http://securityreason.com/achievement_securityalert/93"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}, {"name": "[guacamole-issues] 20210618 [jira] [Created] (GUACAMOLE-1368) Latest docker image fails security scans.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-4051", "datePublished": "2011-01-13T18:35:00", "dateReserved": "2010-10-22T00:00:00", "dateUpdated": "2024-08-07T03:34:37.117Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:1.00:*:*:*:*:*:*:*", "matchCriteriaId": "AA23C241-132B-423E-A22A-7206A8074D10", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.01:*:*:*:*:*:*:*", "matchCriteriaId": "F79978B1-8831-4169-B815-80138C85832C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.02:*:*:*:*:*:*:*", "matchCriteriaId": "991EB676-F043-418D-BD81-0BB937236D40", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.03:*:*:*:*:*:*:*", "matchCriteriaId": "AA0C5DB0-602E-4296-884C-60E24FC80458", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.04:*:*:*:*:*:*:*", "matchCriteriaId": "3211F47C-DF6D-4355-95F8-DED317700621", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.05:*:*:*:*:*:*:*", "matchCriteriaId": "229BFD88-A90F-4D2B-97B9-822A7D87EAEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.06:*:*:*:*:*:*:*", "matchCriteriaId": "FFE253B0-D8E0-4099-8CA7-8925B4809F88", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.07:*:*:*:*:*:*:*", "matchCriteriaId": "D640F556-8181-4F15-B2F7-7EC7E8869FB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.08:*:*:*:*:*:*:*", "matchCriteriaId": "061383CD-B9AD-41C6-8C46-F79870B9CD22", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.09:*:*:*:*:*:*:*", "matchCriteriaId": "9897B03F-A457-4B29-9C5E-FEA084D3BF0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.09.1:*:*:*:*:*:*:*", "matchCriteriaId": "C7C3684B-CE01-46B5-9E41-BF58E6A5AA64", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "4E2A0F12-FD00-40B9-86AD-7D082385E5DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "8ED8F0E8-A969-4F7F-A100-662F4A5426FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "9416576F-A605-45BE-AA01-FEF357A66979", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "AE582B8F-4E31-4D0F-B2F9-AC83C855F751", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "DB56D9C9-13B3-418C-B06C-0997E165F1C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.3.10:*:*:*:*:*:*:*", "matchCriteriaId": "8AFD93D5-70BB-475C-BDD3-DEDE9965C5BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "19D5667D-5EA4-4B44-BF8A-9C10506BD4E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.10:*:*:*:*:*:*:*", "matchCriteriaId": "E3D70AB0-2910-4191-9980-5BA78E8F2E11", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "9A30D0EE-1AED-4C99-8A22-24E47212F3FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "9A93600D-7271-4AF5-8133-C6AA5BC8543F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11:*:*:*:*:*:*:*", "matchCriteriaId": "4169CA4B-C4F5-499A-A35A-49DD43AC0A22", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "A3AC9749-52C5-4E17-8A77-5F4ED91FA8E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "C55E32EC-33A6-4145-9B76-C7E3DBACD1E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11.3:*:*:*:*:*:*:*", "matchCriteriaId": "6423F0B5-E483-4DE9-B13F-3A7322F055DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "A0B4AFFF-A537-44BD-B97A-EFA9409DB8BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "C543B0E8-8B48-44A4-B63F-B2D9EA23E8EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "37880948-2AB5-491A-85E2-B7E271E03B1D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\""}, {"lang": "es", "value": "La implementaci\u00f3n de regcomp en la librer\u00eda de C de GNU (tambi\u00e9n conocido como glibc o libc6) desde v2.11.3 y v2.12.x hasta v2.12.2, permite a atacantes dependientes de contexto provocar una denegaci\u00f3n de servicio (ca\u00edda de la aplicaci\u00f3n) a trav\u00e9s de una expresi\u00f3n regular que contiene repeticiones delimitadas adjacentes que pretenden evitar la limitaci\u00f3n RE_DUP_MAX, como se demuestra mediante la secuencia {10} {10} {10} {10} {10} en el exploit proftpd.gnu.c para ProFTPD, relacionado con un desbordamiento de \"RE_DUP_MAX\"."}], "id": "CVE-2010-4051", "lastModified": "2023-11-07T02:06:05.043", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-01-13T19:00:02.900", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/42547"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://securityreason.com/achievement_securityalert/93"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://securityreason.com/securityalert/8003"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1024832"}, {"source": "cve@mitre.org", "url": "http://www.exploit-db.com/exploits/15935"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/912279"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/45233"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "glibc: De-recursivise regular expression engine", "id": "645859", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}, "csaw": false, "cvss": {"cvss_base_score": "2.1", "cvss_scoring_vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "draft"}, "details": ["The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\""], "name": "CVE-2010-4051", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:3", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2010-12-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2010-4051\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-4051"], "statement": "Red Hat does not consider crash of client application, using regcomp() \nor regexec() routines on untrusted input without preliminary checking \nthe input for the sanity, to be a security issue (the described deficiency \nimplies and is a known limitation of the glibc regular expression engine \nimplementation). The expressions can be modified to avoid quantification \nnesting, or program modified to limit size of input passed to regular \nexpression engine. We do not currently plan to fix these flaws. If more \ninformation becomes available at a future date, we may revisit these issues."}