{"api_version":"1","generated_at":"2026-04-23T02:20:14+00:00","cve":"CVE-2021-36770","urls":{"html":"https://cve.report/CVE-2021-36770","api":"https://cve.report/api/cve/CVE-2021-36770.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-36770","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-36770"},"summary":{"title":"CVE-2021-36770","description":"Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-08-11 23:15:00","updated_at":"2023-11-07 03:36:00"},"problem_types":["CWE-427"],"metrics":[],"references":[{"url":"https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74","name":"https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74","refsource":"CONFIRM","tags":[],"title":"version 3.12 to address CVE-2021-36770 · dankogai/p5-encode@527e482 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9","name":"https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9","refsource":"CONFIRM","tags":[],"title":"Encode.pm: apply a local patch for CVE-2021-36770 · Perl/perl5@c1a937f · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/","name":"FEDORA-2021-92e07de1dd","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: perl-Encode-3.12-460.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://news.cpanel.com/unscheduled-tsr-10-august-2021/","name":"https://news.cpanel.com/unscheduled-tsr-10-august-2021/","refsource":"CONFIRM","tags":[],"title":"Unscheduled TSR 10 August 2021 | cPanel Newsroom","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/","name":"FEDORA-2021-44c65203cc","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: perl-Encode-3.08-459.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://metacpan.org/dist/Encode/changes","name":"https://metacpan.org/dist/Encode/changes","refsource":"CONFIRM","tags":[],"title":"Changes - metacpan.org","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security-tracker.debian.org/tracker/CVE-2021-36770","name":"https://security-tracker.debian.org/tracker/CVE-2021-36770","refsource":"MISC","tags":[],"title":"CVE-2021-36770","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/","name":"FEDORA-2021-92e07de1dd","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: perl-Encode-3.12-460.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20210909-0003/","name":"https://security.netapp.com/advisory/ntap-20210909-0003/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-36770 Perl Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/","name":"FEDORA-2021-44c65203cc","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: perl-Encode-3.08-459.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-36770","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36770","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"36770","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"36770","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"36770","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"p5-encode_project","cpe5":"p5-encode","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"36770","vulnerable":"-1","versionEndIncluding":"5.34.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"perl","cpe5":"perl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-36770","qid":"180406","title":"Debian Security Update for perllibencode-perl (CVE-2021-36770)"},{"cve":"CVE-2021-36770","qid":"198454","title":"Ubuntu Security Notification for Perl vulnerability (USN-5033-1)"},{"cve":"CVE-2021-36770","qid":"281799","title":"Fedora Security Update for perl (FEDORA-2021-92e07de1dd)"},{"cve":"CVE-2021-36770","qid":"281854","title":"Fedora Security Update for perl (FEDORA-2021-44c65203cc)"},{"cve":"CVE-2021-36770","qid":"501990","title":"Alpine Linux Security Update for perl-encode"},{"cve":"CVE-2021-36770","qid":"501991","title":"Alpine Linux Security Update for perl"},{"cve":"CVE-2021-36770","qid":"504282","title":"Alpine Linux Security Update for perl-encode"},{"cve":"CVE-2021-36770","qid":"504288","title":"Alpine Linux Security Update for perl"},{"cve":"CVE-2021-36770","qid":"672138","title":"EulerOS Security Update for perl-encode (EulerOS-SA-2022-2420)"},{"cve":"CVE-2021-36770","qid":"672142","title":"EulerOS Security Update for perl-encode (EulerOS-SA-2022-2433)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-36770","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://metacpan.org/dist/Encode/changes","url":"https://metacpan.org/dist/Encode/changes"},{"refsource":"MISC","name":"https://security-tracker.debian.org/tracker/CVE-2021-36770","url":"https://security-tracker.debian.org/tracker/CVE-2021-36770"},{"refsource":"CONFIRM","name":"https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74","url":"https://github.com/dankogai/p5-encode/commit/527e482dc70b035d0df4f8c77a00d81f8d775c74"},{"refsource":"CONFIRM","name":"https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9","url":"https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9"},{"refsource":"CONFIRM","name":"https://news.cpanel.com/unscheduled-tsr-10-august-2021/","url":"https://news.cpanel.com/unscheduled-tsr-10-august-2021/"},{"refsource":"FEDORA","name":"FEDORA-2021-92e07de1dd","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KOZYD7BH2DNIAEZ2ZL4PJ4QUVQI6Y33/"},{"refsource":"FEDORA","name":"FEDORA-2021-44c65203cc","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5NDGQSGMEZ75FJGBKNYC75OTO7TF7XHB/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210909-0003/","url":"https://security.netapp.com/advisory/ntap-20210909-0003/"}]}},"nvd":{"publishedDate":"2021-08-11 23:15:00","lastModifiedDate":"2023-11-07 03:36:00","problem_types":["CWE-427"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:p5-encode_project:p5-encode:*:*:*:*:*:*:*:*","versionStartIncluding":"3.05","versionEndExcluding":"3.12","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*","versionEndIncluding":"5.34.0","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"36770","Ordinal":"212332","Title":"CVE-2021-36770","CVE":"CVE-2021-36770","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"36770","Ordinal":"1","NoteData":"Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"36770","Ordinal":"2","NoteData":"2021-08-11","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"36770","Ordinal":"3","NoteData":"2021-09-09","Type":"Other","Title":"Modified"}]}}}