{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T09:06:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2021/02/09/3"}, {"tags": ["x_refsource_MISC"], "url": "https://ftp.gnu.org/gnu/screen/"}, {"name": "[oss-security] 20210210 Re: screen crash processing combining characters", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/02/09/8"}, {"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2570-1] screen security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00031.html"}, {"name": "DSA-4861", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4861"}, {"name": "FEDORA-2021-5e9894a0c5", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJWLXP45POUUYBJRRWPVAWNZDJTLYWVM/"}, {"name": "FEDORA-2021-9107eeb95c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNWBOIDEPOEQS5RMQVMFKHKXJCGNYWBL/"}, {"name": "GLSA-202105-11", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202105-11"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-26937", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html", "refsource": "MISC", "url": "https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html"}, {"name": "https://www.openwall.com/lists/oss-security/2021/02/09/3", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2021/02/09/3"}, {"name": "https://ftp.gnu.org/gnu/screen/", "refsource": "MISC", "url": "https://ftp.gnu.org/gnu/screen/"}, {"name": "[oss-security] 20210210 Re: screen crash processing combining characters", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/02/09/8"}, {"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2570-1] screen security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00031.html"}, {"name": "DSA-4861", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4861"}, {"name": "FEDORA-2021-5e9894a0c5", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JJWLXP45POUUYBJRRWPVAWNZDJTLYWVM/"}, {"name": "FEDORA-2021-9107eeb95c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNWBOIDEPOEQS5RMQVMFKHKXJCGNYWBL/"}, {"name": "GLSA-202105-11", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202105-11"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:33:41.462Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2021/02/09/3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ftp.gnu.org/gnu/screen/"}, {"name": "[oss-security] 20210210 Re: screen crash processing combining characters", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/02/09/8"}, {"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2570-1] screen security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00031.html"}, {"name": "DSA-4861", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4861"}, {"name": "FEDORA-2021-5e9894a0c5", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJWLXP45POUUYBJRRWPVAWNZDJTLYWVM/"}, {"name": "FEDORA-2021-9107eeb95c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNWBOIDEPOEQS5RMQVMFKHKXJCGNYWBL/"}, {"name": "GLSA-202105-11", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202105-11"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-26937", "datePublished": "2021-02-09T19:35:50", "dateReserved": "2021-02-09T00:00:00", "dateUpdated": "2024-08-03T20:33:41.462Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:screen:*:*:*:*:*:*:*:*", "matchCriteriaId": "F31304B8-5E0C-4BA0-89F6-E2D0CA54A0AC", "versionEndIncluding": "4.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence."}, {"lang": "es", "value": "El archivo encoding.c en GNU Screen versiones hasta 4.8.0, permite a atacantes remotos causar una denegaci\u00f3n de servicio (acceso de escritura no v\u00e1lido y bloqueo de la aplicaci\u00f3n) o posiblemente tener otro impacto no especificado por medio de una secuencia de caracteres UTF-8 dise\u00f1ada"}], "id": "CVE-2021-26937", "lastModified": "2023-11-07T03:31:50.683", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-09T20:15:14.910", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/09/8"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://ftp.gnu.org/gnu/screen/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00031.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNWBOIDEPOEQS5RMQVMFKHKXJCGNYWBL/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJWLXP45POUUYBJRRWPVAWNZDJTLYWVM/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "url": "https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202105-11"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4861"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/02/09/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0742", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "screen-0:4.1.0-0.27.20120314git3c2946.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-03-08T00:00:00Z"}, {"advisory": "RHSA-2022:1074", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "screen-0:4.1.0-0.25.20120314git3c2946.el7_7.1", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2022-03-28T00:00:00Z"}, {"advisory": "RHSA-2022:1074", "cpe": "cpe:/o:redhat:rhel_tus:7.7", "package": "screen-0:4.1.0-0.25.20120314git3c2946.el7_7.1", "product_name": "Red Hat Enterprise Linux 7.7 Telco Extended Update Support", "release_date": "2022-03-28T00:00:00Z"}, {"advisory": "RHSA-2022:1074", "cpe": "cpe:/o:redhat:rhel_e4s:7.7", "package": "screen-0:4.1.0-0.25.20120314git3c2946.el7_7.1", "product_name": "Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions", "release_date": "2022-03-28T00:00:00Z"}], "bugzilla": {"description": "screen: crash when processing combining chars", "id": "1927062", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927062"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.", "A flaw was found in screen. A specially crafted sequence of combining characters could cause an out of bounds write leading to arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "mitigation": {"lang": "en:us", "value": "This flaw is in utf8 processing; if your screen configuration does not enable utf8 (through configuration such as \"defencoding utf-8\" in .screenrc), you are not vulnerable."}, "name": "CVE-2021-26937", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "screen", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2021-02-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-26937\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-26937"], "threat_severity": "Important"}