Main Vulnerability Database SB2022083140

SB2022083140 - Information disclosure in GNU C Library (glibc)

Published: August 31, 2022 Updated: January 31, 2024

Security Bulletin ID SB2022083140

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2022-39046)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the software can store potentially sensitive data into a log file. When the syslog() function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

Remediation

Install update from vendor's website.

References

https://sourceware.org/bugzilla/show_bug.cgi?id=29536
https://security.netapp.com/advisory/ntap-20221104-0002/
https://security.gentoo.org/glsa/202310-03
http://www.openwall.com/lists/oss-security/2024/01/30/8
http://www.openwall.com/lists/oss-security/2024/01/30/6