The version of glibc installed on the remote host is prior to 2.26-61. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1857 advisory.

  - A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory     corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and     size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and     escalate their privileges on the system. (CVE-2021-3999)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : glibc (ALAS-2022-1857)

high Nessus Plugin ID 166411

Version 1.4

Version 1.3

Version 1.2

Version 1.4 Oct 9, 2023, 5:00 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202310091700
Version 1.3 Nov 28, 2022, 4:23 PM CVSS metrics ("CVSSv2 score" changed from "7.5" to "6.8") CVSS metrics ("CVSSv2 vector" changed from "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P" to "CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C") CVSSv2 severity (based on CVE-2021-3999, severity decreased from "High" to "Medium") Plugin Feed: 202211281623
Version 1.2 Oct 22, 2022, 1:45 AM New Plugin Feed: 202210220145