{"containers": {"cna": {"affected": [{"product": "glibc", "vendor": "GNU C Library", "versions": [{"status": "affected", "version": "current (At least as of 2018-02-16)"}]}], "descriptions": [{"lang": "en", "value": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat."}], "problemTypes": [{"descriptions": [{"description": "Mitigation bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-10T16:12:20", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"}, {"name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"}, {"name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://ubuntu.com/security/CVE-2019-1010022"}, {"tags": ["x_refsource_MISC"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010022", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "glibc", "version": {"version_data": [{"version_value": "current (At least as of 2018-02-16)"}]}}]}, "vendor_name": "GNU C Library"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Mitigation bypass"}]}]}, "references": {"reference_data": [{"name": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "refsource": "MISC", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"}, {"name": "CVE-2019-1010022", "refsource": "DEBIAN", "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"}, {"name": "CVE-2019-1010022", "refsource": "UBUNTU", "url": "https://ubuntu.com/security/CVE-2019-1010022"}, {"name": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "refsource": "MISC", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.071Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"}, {"name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"}, {"name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://ubuntu.com/security/CVE-2019-1010022"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-24T16:01:23.968883Z", "id": "CVE-2019-1010022", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T15:04:27.415Z"}}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010022", "datePublished": "2019-07-15T03:00:51", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-11-15T15:04:27.415Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://ubuntu.com/security/CVE-2019-1010022", "name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.071Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-1010022", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-24T16:01:23.968883Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T15:04:19.238Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "current (At least as of 2018-02-16)"}]}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "tags": ["x_refsource_MISC"]}, {"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://ubuntu.com/security/CVE-2019-1010022", "name": "CVE-2019-1010022", "tags": ["vendor-advisory", "x_refsource_UBUNTU"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Mitigation bypass"}]}], "providerMetadata": {"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf", "dateUpdated": "2021-06-10T16:12:20"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "current (At least as of 2018-02-16)"}]}, "product_name": "glibc"}]}, "vendor_name": "GNU C Library"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "name": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "refsource": "MISC"}, {"url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "name": "CVE-2019-1010022", "refsource": "DEBIAN"}, {"url": "https://ubuntu.com/security/CVE-2019-1010022", "name": "CVE-2019-1010022", "refsource": "UBUNTU"}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "name": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Mitigation bypass"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-1010022", "STATE": "PUBLIC", "ASSIGNER": "cve-assign@distributedweaknessfiling.org"}}}}, "cveMetadata": {"cveId": "CVE-2019-1010022", "state": "PUBLISHED", "dateUpdated": "2024-11-15T15:04:27.415Z", "dateReserved": "2019-03-20T00:00:00", "assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "datePublished": "2019-07-15T03:00:51", "assignerShortName": "dwf"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*", "matchCriteriaId": "68D5A70D-5CEE-4E19-BF35-0245A0E0F6BC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "josh@bress.net", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat."}, {"lang": "es", "value": "** EN DISPUTA ** La biblioteca Libc actual de GNU est\u00e1 afectada por: Omisi\u00f3n de Mitigaci\u00f3n. El impacto es: El atacante puede omitir la protecci\u00f3n stack guard. El componente es: nptl. El vector de ataque es: explotar la vulnerabilidad de desbordamiento del b\u00fafer de la pila y utilizar esta vulnerabilidad de omisi\u00f3n para eludir la protecci\u00f3n stack guard. NOTA: Los comentarios de los usuarios indican que \"esto est\u00e1 siendo tratado como un error de no seguridad y no una amenaza real\"."}], "id": "CVE-2019-1010022", "lastModified": "2024-11-21T04:17:55.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-15T04:15:13.317", "references": [{"source": "josh@bress.net", "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"}, {"source": "josh@bress.net", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"}, {"source": "josh@bress.net", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3"}, {"source": "josh@bress.net", "url": "https://ubuntu.com/security/CVE-2019-1010022"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security-tracker.debian.org/tracker/CVE-2019-1010022"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://ubuntu.com/security/CVE-2019-1010022"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "glibc: stack guard protection bypass", "id": "1731964", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1731964"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-121->CWE-119->CWE-305", "details": ["GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", "[Disputed] GNU Libc is impacted by a mitigation bypass issue in its nptl component, which could allow an attacker to bypass stack guard protections. The stack canary (designed to prevent stack-based buffer overflows) can be overwritten if an attacker already have exploited any stack buffer overflow vulnerability. The vulnerability arises when creating new threads with pthread_create(), where the tcbhead_t structure containing the stack_guard is placed on the thread stack, making it susceptible to overwriting. Although this weakens the stack canary protection, it is categorized as a post-attack mitigation rather than a direct security flaw. Upstream maintainers have indicated that this is being treated as a non-security issue with no immediate threat."], "name": "CVE-2019-1010022", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2019-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-1010022\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1010022"], "statement": "Red Hat Product Security does not consider this to be a vulnerability. Also, the upstream project recognizes it as a hardening issue [1], they do not classify it as a security flaw.\nHere are some technical notes regarding the issue:\nThe issue relates to a mitigation bypass in the GNU Libc library's NPTL component, allowing attackers to circumvent stack guard protection via a stack buffer overflow. However, this is considered a post-attack mitigation rather than a direct vulnerability. According to the glibc security process [2], an issue must meet specific criteria for direct exploitation to be deemed a security bug.\nIn this case, the bypass of stack canary protection occurs by overwriting the stack_guard in the tcbhead_t structure, but only after a successful stack overflow attack. This issue does not directly lead to code execution. Instead, it weakens an additional layer of protection after an attack has already occurred, thus classifying it as a post-attack hardening issue.\nIn summary, while the issue has security implications, it does not meet the criteria to be classified as a direct security vulnerability.\n[1] https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3\n[2] https://sourceware.org/git/?p=glibc.git;a=blob;f=SECURITY.md"}

{}