{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-12-07T00:00:00", "descriptions": [{"lang": "en", "value": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-10T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "42547", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42547"}, {"name": "1024832", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1024832"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"name": "VU#912279", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/912279"}, {"name": "45233", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/45233"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"name": "15935", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/15935"}, {"name": "8003", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/8003"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["third-party-advisory", "x_refsource_SREASONRES"], "url": "http://securityreason.com/achievement_securityalert/93"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-4052", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "42547", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42547"}, {"name": "1024832", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1024832"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"name": "VU#912279", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/912279"}, {"name": "45233", "refsource": "BID", "url": "http://www.securityfocus.com/bid/45233"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"name": "http://cxib.net/stuff/proftpd.gnu.c", "refsource": "MISC", "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"name": "15935", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/15935"}, {"name": "8003", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/8003"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "refsource": "SREASONRES", "url": "http://securityreason.com/achievement_securityalert/93"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=645859", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T03:34:37.250Z"}, "title": "CVE Program Container", "references": [{"name": "42547", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/42547"}, {"name": "1024832", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1024832"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"name": "VU#912279", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/912279"}, {"name": "45233", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/45233"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"name": "15935", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/15935"}, {"name": "8003", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/8003"}, {"name": "20110107 GNU libc/regcomp(3) Multiple Vulnerabilities", "tags": ["third-party-advisory", "x_refsource_SREASONRES", "x_transferred"], "url": "http://securityreason.com/achievement_securityalert/93"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-4052", "datePublished": "2011-01-13T18:35:00", "dateReserved": "2010-10-22T00:00:00", "dateUpdated": "2024-08-07T03:34:37.250Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:1.00:*:*:*:*:*:*:*", "matchCriteriaId": "AA23C241-132B-423E-A22A-7206A8074D10", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.01:*:*:*:*:*:*:*", "matchCriteriaId": "F79978B1-8831-4169-B815-80138C85832C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.02:*:*:*:*:*:*:*", "matchCriteriaId": "991EB676-F043-418D-BD81-0BB937236D40", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.03:*:*:*:*:*:*:*", "matchCriteriaId": "AA0C5DB0-602E-4296-884C-60E24FC80458", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.04:*:*:*:*:*:*:*", "matchCriteriaId": "3211F47C-DF6D-4355-95F8-DED317700621", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.05:*:*:*:*:*:*:*", "matchCriteriaId": "229BFD88-A90F-4D2B-97B9-822A7D87EAEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.06:*:*:*:*:*:*:*", "matchCriteriaId": "FFE253B0-D8E0-4099-8CA7-8925B4809F88", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.07:*:*:*:*:*:*:*", "matchCriteriaId": "D640F556-8181-4F15-B2F7-7EC7E8869FB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.08:*:*:*:*:*:*:*", "matchCriteriaId": "061383CD-B9AD-41C6-8C46-F79870B9CD22", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.09:*:*:*:*:*:*:*", "matchCriteriaId": "9897B03F-A457-4B29-9C5E-FEA084D3BF0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:1.09.1:*:*:*:*:*:*:*", "matchCriteriaId": "C7C3684B-CE01-46B5-9E41-BF58E6A5AA64", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "4E2A0F12-FD00-40B9-86AD-7D082385E5DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "8ED8F0E8-A969-4F7F-A100-662F4A5426FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "9416576F-A605-45BE-AA01-FEF357A66979", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "AE582B8F-4E31-4D0F-B2F9-AC83C855F751", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "DB56D9C9-13B3-418C-B06C-0997E165F1C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.3.10:*:*:*:*:*:*:*", "matchCriteriaId": "8AFD93D5-70BB-475C-BDD3-DEDE9965C5BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "19D5667D-5EA4-4B44-BF8A-9C10506BD4E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.10:*:*:*:*:*:*:*", "matchCriteriaId": "E3D70AB0-2910-4191-9980-5BA78E8F2E11", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "9A30D0EE-1AED-4C99-8A22-24E47212F3FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "9A93600D-7271-4AF5-8133-C6AA5BC8543F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11:*:*:*:*:*:*:*", "matchCriteriaId": "4169CA4B-C4F5-499A-A35A-49DD43AC0A22", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "A3AC9749-52C5-4E17-8A77-5F4ED91FA8E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "C55E32EC-33A6-4145-9B76-C7E3DBACD1E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.11.3:*:*:*:*:*:*:*", "matchCriteriaId": "6423F0B5-E483-4DE9-B13F-3A7322F055DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "A0B4AFFF-A537-44BD-B97A-EFA9409DB8BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "C543B0E8-8B48-44A4-B63F-B2D9EA23E8EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:glibc:2.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "37880948-2AB5-491A-85E2-B7E271E03B1D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD."}, {"lang": "es", "value": "Vulnerabilidad de lconsumo de pila de memoria en la aplicaci\u00f3n regcomp en la Biblioteca de C de GNU (tambi\u00e9n conocido como glibc o libc6) hasta v2.11.3, y v2.12.x hasta v2.12.2, permite a atacantes dependientes de contexto para provocar una denegaci\u00f3n de servicio (agotamiento de recursos) a trav\u00e9s de expresi\u00f3n regular que contiene operadores de repetici\u00f3n adyacentes, como se demuestra con una secuencia {10} {10} {10} {10} en el exploit proftpd.gnu.c para ProFTPD."}], "id": "CVE-2010-4052", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-01-13T19:00:02.963", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/42547"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://securityreason.com/achievement_securityalert/93"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://securityreason.com/securityalert/8003"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1024832"}, {"source": "cve@mitre.org", "url": "http://www.exploit-db.com/exploits/15935"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/912279"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/45233"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://cxib.net/stuff/proftpd.gnu.c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2011/Jan/78"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/42547"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://securityreason.com/achievement_securityalert/93"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://securityreason.com/securityalert/8003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1024832"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.exploit-db.com/exploits/15935"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/912279"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/515589/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/45233"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-399"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "glibc: De-recursivise regular expression engine", "id": "645859", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=645859"}, "csaw": false, "cvss": {"cvss_base_score": "2.1", "cvss_scoring_vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "status": "draft"}, "details": ["Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD."], "name": "CVE-2010-4052", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:3", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2010-12-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2010-4052\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-4052"], "statement": "Red Hat does not consider crash of client application, using regcomp() \nor regexec() routines on untrusted input without preliminary checking \nthe input for the sanity, to be a security issue (the described deficiency \nimplies and is a known limitation of the glibc regular expression engine \nimplementation). The expressions can be modified to avoid quantification \nnesting, or program modified to limit size of input passed to regular \nexpression engine. We do not currently plan to fix these flaws. If more \ninformation becomes available at a future date, we may revisit these issues."}

{}