Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2014-4043

Published: 06/10/2014 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Glibc

Vulnerability Summary

The posix_spawn_file_actions_addopen function in glibc prior to 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent malicious users to trigger use-after-free vulnerabilities.

Vulnerable Product Search on Vulmon Subscribe to Product

gnu glibc

opensuse opensuse 13.1

Vendor Advisories

Debian Security Advisories: DSA-3169-1 eglibc -- security update
Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library: CVE-2012-3406 The vfprintf function in stdio-common/vfprintfc in GNU C Library (aka glibc) 25, 212, and probably other versions does not properly restrict the use of the alloca function when allocating the SPECS array, which allows context- ...
Ubuntu Security Notice: eglibc regression
USN-2306-1 introduced a regression in the GNU C Library ...
Ubuntu Security Notice: eglibc regression
USN-2306-1 introduced a regression in the GNU C Library ...
Ubuntu Security Notice: eglibc vulnerabilities
Several security issues were fixed in the GNU C Library ...
Debian CVElist Bug Report Logs: eglibc: CVE-2014-4043: posix_spawn_file_actions_addopen fails to copy the path argument
Debian Bug report logs - #751774 eglibc: CVE-2014-4043: posix_spawn_file_actions_addopen fails to copy the path argument Package: src:eglibc; Maintainer for src:eglibc is (unknown); Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 16 Jun 2014 14:39:02 UTC Severity: normal Tags: fixed-upstream, security, ups ...
Debian CVElist Bug Report Logs: glibc: CVE-2015-1472 CVE-2015-1473
Debian Bug report logs - #777197 glibc: CVE-2015-1472 CVE-2015-1473 Package: glibc; Maintainer for glibc is GNU Libc Maintainers <debian-glibc@listsdebianorg>; Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Fri, 6 Feb 2015 07:51:02 UTC Severity: grave Tags: security Fixed in versions glibc/219-15, eglibc ...
Debian CVElist Bug Report Logs: glibc: CVE-2014-7817 CVE-2014-9402
Debian Bug report logs - #775572 glibc: CVE-2014-7817 CVE-2014-9402 Package: src:glibc; Maintainer for src:glibc is GNU Libc Maintainers <debian-glibc@listsdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Sat, 17 Jan 2015 14:42:02 UTC Severity: important Tags: security Found in version glibc/219 ...
Debian CVElist Bug Report Logs: CVE-2012-3406: glibc formatted printing vulnerabilities
Debian Bug report logs - #681888 CVE-2012-3406: glibc formatted printing vulnerabilities Package: src:glibc; Maintainer for src:glibc is GNU Libc Maintainers <debian-glibc@listsdebianorg>; Reported by: Moritz Muehlenhoff <muehlenhoff@univentionde> Date: Fri, 13 Jul 2012 13:42:15 UTC Severity: important Tags: secur ...
Red Hat: CVE-2014-4043
The posix_spawn_file_actions_addopen function in glibc before 220 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities ...

Exploits

Exploit DB: WAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials
The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector ...
Exploit DB: Cisco Device Hardcoded Credentials / GNU glibc / BusyBox
Many Cisco devices such as Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, and Cisco 160W suffer from having hard-coded credentials, known GNU glibc, known BusyBox, and IoT Inspector identified vulnerabilities ...

Mailing Lists

Full Disclosure: SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series <!--X-Subject-Heade ...
Full Disclosure: SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X <!--X-Subject-Head ...

Github Repositories

https://github.com/atgreen/red-light-green-light

A git-centric policy management and enforcement tool designed to accelerate your CI/CD pipelines.

Red Light Green Light A git-centric policy management and enforcement tool designed to accelerate your CI/CD pipelines Quick Start Try out the hosted version at rlgl Note that documents expire after 30 days For an example of real-world rlgl policy in action, check out the policy used to validate unit test reports for libffi on Github Actions builds: githu

References

CWE-94https://bugzilla.redhat.com/show_bug.cgi?id=1109263https://sourceware.org/bugzilla/show_bug.cgi?id=17048http://www.securityfocus.com/bid/68006http://www.mandriva.com/security/advisories?name=MDVSA-2014:152http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.htmlhttps://security.gentoo.org/glsa/201503-04https://exchange.xforce.ibmcloud.com/vulnerabilities/93784http://seclists.org/fulldisclosure/2019/Jun/18https://seclists.org/bugtraq/2019/Jun/14http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.htmlhttp://seclists.org/fulldisclosure/2019/Sep/7https://seclists.org/bugtraq/2019/Sep/7http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.htmlhttps://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=blobdiff%3Bf=ChangeLog%3Bh=3020b9ac232315df362521aeaf85f21cb9926db8%3Bhp=d86e73963dd9fb5e21b1a28326630337226812aa%3Bhb=89e435f3559c53084498e9baad22172b64429362%3Bhpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=89e435f3559c53084498e9baad22172b64429362https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=blobdiff%3Bf=posix/spawn_faction_addopen.c%3Bh=40800b8e6e81341501c0fb8a91009529e2048dec%3Bhp=47f62425b696a4fdd511b2a057746322eb6518db%3Bhb=89e435f3559c53084498e9baad22172b64429362%3Bhpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845https://nvd.nist.govhttps://www.debian.org/security/./dsa-3169https://usn.ubuntu.com/2306-3/https://access.redhat.com/security/cve/cve-2014-4043
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook