Information disclosure in Glibc
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-1010024 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Glibc Universal components / Libraries / Libraries used by multiple products |
| Vendor | GNU |
Security Bulletin
This security bulletin contains information about 1 vulnerabilities.
Updated: 07.04.2020
Updated list of affected versions.
1) Information disclosure
EUVDB-ID: #VU21240
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C]
CVE-ID: CVE-2019-1010024
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way glibc creates threads with pthread_create and then works with internal cache to find already mmaped regions. A local user can create a specially crafted application that can abuse this feature and bypass implemented ASLR protection.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGlibc: 2.16 - 2.31
External linkshttp://sourceware.org/bugzilla/show_bug.cgi?id=22852
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
