Empty Search Path (PATH or LD_LIBRARY_PATH) could lead to security vulnerabilities.
CWE-427: Uncontrolled Search Path Element
CWE - CWE-427: Uncontrolled Search Path Element (4.14) / Wayback Machine
In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directory, which might be an untrusted search element.
Empty Entry in LD_LIBRARY_PATH May Lead to Security Issues
Empty Entry in LD_LIBRARY_PATH May Lead to Security Issues / Wayback Machine
An empty item is interpreted by
ldas the current working directory. As a result,ldmay load library from the current working directory, causing unintended effects, or even security vulnerability if an attacker puts some harmful library in the current directory.
CVE-2010-4450
Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.
