U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:gnu:glibc:2.3.10:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 94 matching records.
Displaying matches 61 through 80.
Vuln ID Summary CVSS Severity
CVE-2013-7423

The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.

Published: February 24, 2015; 10:59:00 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

Published: January 28, 2015; 2:59:00 PM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2014-6040

An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application.

Published: December 05, 2014; 11:59:09 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-6656

iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows context-dependent attackers to cause a denial of service (out-of-bounds read) via a multibyte character value of "0xffff" to the iconv function when converting IBM930 encoded data to UTF-8.

Published: December 05, 2014; 11:59:00 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-2702

Integer signedness error in Glibc before 2.13 and eglibc before 2.13, when using Supplemental Streaming SIMD Extensions 3 (SSSE3) optimization, allows context-dependent attackers to execute arbitrary code via a negative length parameter to (1) memcpy-ssse3-rep.S, (2) memcpy-ssse3.S, or (3) memset-sse2.S in sysdeps/i386/i686/multiarch/, which triggers an out-of-bounds read, as demonstrated using the memcpy function.

Published: October 27, 2014; 4:55:22 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-4043

The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.

Published: October 06, 2014; 7:55:08 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-5119

An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application.

Published: August 29, 2014; 12:55:11 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-0475

Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

Published: July 29, 2014; 10:55:05 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-4458

It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.

Published: December 12, 2013; 1:55:10 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4122

Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.

Published: October 26, 2013; 8:55:03 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4332

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions (pvalloc, valloc, and memalign). If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Published: October 09, 2013; 6:55:02 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4237

An out-of-bounds write flaw was found in the way the glibc's readdir_r() function handled file system entries longer than the NAME_MAX character constant. A remote attacker could provide a specially crafted NTFS or CIFS file system that, when processed by an application using readdir_r(), would cause that application to crash or, potentially, allow the attacker to execute arbitrary code with the privileges of the user running the application.

Published: October 09, 2013; 6:55:02 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-2207

pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system.

Published: October 09, 2013; 6:55:02 PM -0400
V3.x:(not available)
V2.0: 2.6 LOW
CVE-2012-4424

Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.

Published: October 09, 2013; 6:55:02 PM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2012-4412

Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.

Published: October 09, 2013; 6:55:02 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-4788

The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.

Published: October 04, 2013; 1:55:09 PM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2011-4609

The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections.

Published: May 02, 2013; 10:55:01 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2009-5029

CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow

Published: May 02, 2013; 10:55:01 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-1914

Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results.

Published: April 29, 2013; 6:55:01 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-1095

locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.

Published: April 09, 2011; 10:55:01 PM -0400
V3.x:(not available)
V2.0: 6.2 MEDIUM