{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-37600", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T01:23:01.417Z", "dateReserved": "2021-07-28T00:00:00", "datePublished": "2021-07-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-04-07T12:06:01.027339"}, "descriptions": [{"lang": "en", "value": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/karelzak/util-linux/issues/1395"}, {"url": "https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c"}, {"url": "https://security.netapp.com/advisory/ntap-20210902-0002/"}, {"name": "GLSA-202401-08", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-08"}, {"name": "[debian-lts-announce] 20240407 [SECURITY] [DLA 3782-1] util-linux security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:23:01.417Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/karelzak/util-linux/issues/1395", "tags": ["x_transferred"]}, {"url": "https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210902-0002/", "tags": ["x_transferred"]}, {"name": "GLSA-202401-08", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202401-08"}, {"name": "[debian-lts-announce] 20240407 [SECURITY] [DLA 3782-1] util-linux security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*", "matchCriteriaId": "332D3DCC-3B7E-466E-844E-F2014DC27B45", "versionEndIncluding": "2.37.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments."}, {"lang": "es", "value": "** EN DISPUTA ** Un desbordamiento de enteros en util-linux hasta la versi\u00f3n 2.37.1 puede potencialmente causar un desbordamiento de b\u00fafer si un atacante fuera capaz de utilizar los recursos del sistema de una manera que lleve a un n\u00famero grande en el archivo /proc/sysvipc/sem. NOTA: esto es inexplotable en entornos de GNU C Library, y posiblemente en todos los entornos realistas"}], "id": "CVE-2021-37600", "lastModified": "2024-11-21T06:15:30.107", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 1.2, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-30T14:15:18.737", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/karelzak/util-linux/issues/1395"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202401-08"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210902-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/karelzak/util-linux/issues/1395"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202401-08"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210902-0002/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "util-linux: integer overflow can lead to buffer overflow in get_sem_elements() in sys-utils/ipcutils.c", "id": "1987320", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1987320"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190->CWE-119", "details": ["An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.", "An integer truncation flaw was found in util-linux that potentially causes a buffer overflow if an attacker can use system resources that lead to a large number in the /proc/sysvipc/sem file. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-37600", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-07-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-37600\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37600"], "statement": "This vulnerability is only present in the 32-bit builds of the util-linux package. The standard 64-bit builds (eg x86_64) are not affected. Red Hat Enterprise Linux 8 is marked \"Not Affected\" since the impacted package is not available as a 32-bit build.\nIn order for exploit to be possible the \"kernel.sem\" limits controlled by sysctl must be raised to an abnormally high number. Default values on Red Hat Enterprise Linux are too low to make exploitation possible.", "threat_severity": "Low"}