CVE-2021-35331 - OpenCVE

In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Tcl	Tcl

Configuration 1 [-]

cpe:2.3:a:tcl:tcl:8.6.11:*:*:*:*:*:*:*

References

Link	Resource
https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2	Exploit Patch Vendor Advisory
https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280	Exploit Vendor Advisory
https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222	Patch Third Party Advisory
https://sqlite.org/forum/info/7dcd751996c93ec9	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-07-05T14:59:29

Updated: 2021-07-27T18:43:21

Reserved: 2021-06-23T00:00:00

Link: CVE-2021-35331

JSON object: View

NVD Information

Status : Modified

Published: 2021-07-05T15:15:07.997

Modified: 2024-05-17T01:58:36.660

Link: CVE-2021-35331

JSON object: View

Redhat Information

No data.

CWE

CWE-134

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-27T18:43:21", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280"}, {"tags": ["x_refsource_MISC"], "url": "https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222"}, {"tags": ["x_refsource_MISC"], "url": "https://sqlite.org/forum/info/7dcd751996c93ec9"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-35331", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280", "refsource": "MISC", "url": "https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280"}, {"name": "https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2", "refsource": "MISC", "url": "https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2"}, {"name": "https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222", "refsource": "MISC", "url": "https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222"}, {"name": "https://sqlite.org/forum/info/7dcd751996c93ec9", "refsource": "MISC", "url": "https://sqlite.org/forum/info/7dcd751996c93ec9"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-35331", "datePublished": "2021-07-05T14:59:29", "dateReserved": "2021-06-23T00:00:00", "dateUpdated": "2021-07-27T18:43:21", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tcl:tcl:8.6.11:*:*:*:*:*:*:*", "matchCriteriaId": "6BE08290-3693-466E-A9E8-92E1E40D6357", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding"}, {"lang": "es", "value": "** EN DISPUTA ** En Tcl versi\u00f3n 8.6.11, una vulnerabilidad de cadena de formato en nmakehlp.c podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo a trav\u00e9s de un archivo manipulado. NOTA: varios terceros discuten la importancia de este hallazgo."}], "id": "CVE-2021-35331", "lastModified": "2024-05-17T01:58:36.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-05T15:15:07.997", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sqlite.org/forum/info/7dcd751996c93ec9"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-134"}], "source": "nvd@nist.gov", "type": "Primary"}]}