Description
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.
Remediation
References
Related Vulnerabilities
WordPress Plugin BuddyPress PHP Object Injection (2.0.2)
WordPress Plugin WP Email Template PHP Object Injection (2.4.0)
WordPress Plugin Wp Multiple Meta Box SQL Injection (1.0.0)
Drupal Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9449)
GlassFish Use of Hard-coded Credentials Vulnerability (CVE-2018-14324)