Multiple vulnerabilities in suidperl 5.6.1 and earlier allow a local user to obtain sensitive information about files for which the user does not have appropriate permissions.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | suidperl | * |
| debian | debian_linux | 3.0 |
The escape_dangerous_chars function in CGI::Lite 2.0 and earlier does not correctly remove special characters including (1) "\" (backslash), (2) "?", (3) "~" (tilde), (4) "^" (carat), (5) newline, or (6) carriage return, which could allow remote attackers to read or write arbitrary files, or execute arbitrary commands, in shell scripts that rely on CGI::Lite to filter such dangerous inputs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | cgi_lite | 2.0 |
Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows remote attackers to execute arbitrary code via a malformed parameter to a read operation.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | convert_uulib | * |
Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.9.2 |
| perl | perl | 5.8.6 |
Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.8.5 |
| perl | perl | 5.8.7 |
| perl | perl | 5.8.2 |
| perl | perl | 5.8.8 |
| perl | perl | 5.8.3 |
| perl | perl | 5.8.1 |
| perl | perl | 5.8.6 |
| perl | perl | 5.8.9 |
| perl | perl | 5.8.4 |
Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.10.1 |
| perl | perl | 5.10.0 |
The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.13.1 |
| perl | perl | 5.12.2 |
| perl | perl | 5.13.9 |
| perl | perl | 5.13.7 |
| perl | perl | 5.13.11 |
| perl | perl | 5.11.5 |
| perl | perl | 5.13.6 |
| perl | perl | 5.12.3 |
| perl | perl | 5.12.1 |
| perl | perl | 5.13.4 |
| perl | perl | 5.13.0 |
| perl | perl | 5.11.4 |
| perl | perl | 5.10.0 |
| perl | perl | 5.11.0 |
| perl | perl | 5.13.3 |
| perl | perl | 5.11.3 |
| perl | perl | 5.10.1 |
| perl | perl | 5.13.2 |
| perl | perl | 5.11.2 |
| perl | perl | 5.12.0 |
| perl | perl | 5.13.10 |
| perl | perl | 5.13.8 |
| perl | perl | 5.11.1 |
| perl | perl | 5.13.5 |
Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dan_kogai | encode_module | 1.51 |
| dan_kogai | encode_module | 1.84 |
| perl | perl | 5.8.7 |
| perl | perl | 5.13.9 |
| perl | perl | 5.14.1 |
| dan_kogai | encode_module | 1.63 |
| dan_kogai | encode_module | 1.61 |
| perl | perl | 5.13.11 |
| perl | perl | 5.8.1 |
| perl | perl | 5.9.2 |
| perl | perl | 5.11.5 |
| dan_kogai | encode_module | 1.88 |
| dan_kogai | encode_module | 1.97 |
| dan_kogai | encode_module | 2.34 |
| perl | perl | 5.12.1 |
| dan_kogai | encode_module | 2.33 |
| dan_kogai | encode_module | 2.06 |
| dan_kogai | encode_module | 1.81 |
| dan_kogai | encode_module | 2.27 |
| dan_kogai | encode_module | 2.11 |
| dan_kogai | encode_module | 2.18 |
| dan_kogai | encode_module | 2.22 |
| dan_kogai | encode_module | 1.66 |
| dan_kogai | encode_module | 1.76 |
| dan_kogai | encode_module | 1.90 |
| dan_kogai | encode_module | 1.32 |
| dan_kogai | encode_module | 2.07 |
| dan_kogai | encode_module | 0.96 |
| dan_kogai | encode_module | 1.77 |
| dan_kogai | encode_module | 2.01 |
| dan_kogai | encode_module | 2.32 |
| dan_kogai | encode_module | 2.41 |
| dan_kogai | encode_module | 1.93 |
| dan_kogai | encode_module | 1.70 |
| perl | perl | 5.12.0 |
| perl | perl | 5.10 |
| dan_kogai | encode_module | 1.55 |
| dan_kogai | encode_module | 2.30 |
| perl | perl | 5.11.1 |
| perl | perl | 5.14.0 |
| dan_kogai | encode_module | 2.05 |
| dan_kogai | encode_module | 1.86 |
| dan_kogai | encode_module | 1.99 |
| dan_kogai | encode_module | 1.67 |
| perl | perl | 5.8.8 |
| dan_kogai | encode_module | 1.42 |
| dan_kogai | encode_module | 1.89 |
| dan_kogai | encode_module | 2.04 |
| dan_kogai | encode_module | 1.91 |
| dan_kogai | encode_module | 2.21 |
| dan_kogai | encode_module | 1.74 |
| perl | perl | 5.13.4 |
| dan_kogai | encode_module | 1.01 |
| dan_kogai | encode_module | 1.53 |
| dan_kogai | encode_module | 2.20 |
| dan_kogai | encode_module | 0.97 |
| dan_kogai | encode_module | 1.87 |
| dan_kogai | encode_module | 2.13 |
| perl | perl | 5.10.0 |
| dan_kogai | encode_module | 1.30 |
| perl | perl | 5.8.5 |
| perl | perl | 5.11.0 |
| dan_kogai | encode_module | 1.62 |
| dan_kogai | encode_module | 1.82 |
| dan_kogai | encode_module | 2.08 |
| dan_kogai | encode_module | 0.94 |
| dan_kogai | encode_module | 2.0 |
| dan_kogai | encode_module | 1.95 |
| dan_kogai | encode_module | 1.78 |
| dan_kogai | encode_module | 1.26 |
| dan_kogai | encode_module | 2.24 |
| dan_kogai | encode_module | 1.71 |
| perl | perl | 5.10.1 |
| dan_kogai | encode_module | 2.03 |
| dan_kogai | encode_module | 2.16 |
| dan_kogai | encode_module | 1.58 |
| dan_kogai | encode_module | 1.98 |
| perl | perl | 5.13.1 |
| dan_kogai | encode_module | 1.92 |
| perl | perl | 5.12.2 |
| dan_kogai | encode_module | 1.73 |
| dan_kogai | encode_module | 2.35 |
| dan_kogai | encode_module | 1.25 |
| dan_kogai | encode_module | 2.31 |
| dan_kogai | encode_module | 0.98 |
| dan_kogai | encode_module | 1.56 |
| dan_kogai | encode_module | 1.75 |
| dan_kogai | encode_module | 1.21 |
| dan_kogai | encode_module | 1.20 |
| dan_kogai | encode_module | 2.12 |
| dan_kogai | encode_module | 1.11 |
| dan_kogai | encode_module | 1.33 |
| dan_kogai | encode_module | 2.39 |
| dan_kogai | encode_module | 2.42 |
| dan_kogai | encode_module | * |
| dan_kogai | encode_module | 2.38 |
| perl | perl | 5.11.4 |
| dan_kogai | encode_module | 1.64 |
| dan_kogai | encode_module | 1.94 |
| dan_kogai | encode_module | 1.69 |
| dan_kogai | encode_module | 2.25 |
| dan_kogai | encode_module | 1.68 |
| perl | perl | 5.11.3 |
| perl | perl | 5.8.4 |
| dan_kogai | encode_module | 2.23 |
| dan_kogai | encode_module | 1.85 |
| dan_kogai | encode_module | 1.34 |
| dan_kogai | encode_module | 1.60 |
| dan_kogai | encode_module | 1.40 |
| dan_kogai | encode_module | 0.95 |
| dan_kogai | encode_module | 2.14 |
| dan_kogai | encode_module | 0.99 |
| dan_kogai | encode_module | 1.52 |
| dan_kogai | encode_module | 1.72 |
| dan_kogai | encode_module | 1.50 |
| dan_kogai | encode_module | 1.59 |
| dan_kogai | encode_module | 1.65 |
| dan_kogai | encode_module | 2.17 |
| dan_kogai | encode_module | 2.28 |
| dan_kogai | encode_module | 1.83 |
| dan_kogai | encode_module | 1.79 |
| perl | perl | 5.8.2 |
| perl | perl | 5.13.7 |
| dan_kogai | encode_module | 1.80 |
| dan_kogai | encode_module | 2.19 |
| dan_kogai | encode_module | 2.10 |
| dan_kogai | encode_module | 0.93 |
| dan_kogai | encode_module | 2.36 |
| dan_kogai | encode_module | 1.57 |
| perl | perl | 5.13.6 |
| dan_kogai | encode_module | 1.10 |
| dan_kogai | encode_module | 2.15 |
| perl | perl | 5.12.3 |
| dan_kogai | encode_module | 2.29 |
| dan_kogai | encode_module | 1.31 |
| dan_kogai | encode_module | 1.28 |
| perl | perl | * |
| dan_kogai | encode_module | 2.26 |
| perl | perl | 5.13.0 |
| perl | perl | 5.8.6 |
| dan_kogai | encode_module | 2.09 |
| dan_kogai | encode_module | 1.54 |
| perl | perl | 5.13.3 |
| dan_kogai | encode_module | 1.41 |
| dan_kogai | encode_module | 2.02 |
| perl | perl | 5.8.9 |
| dan_kogai | encode_module | 2.37 |
| perl | perl | 5.13.2 |
| dan_kogai | encode_module | 1.96 |
| perl | perl | 5.11.2 |
| perl | perl | 5.13.10 |
| perl | perl | 5.8.3 |
| perl | perl | 5.8.10 |
| perl | perl | 5.13.8 |
| dan_kogai | encode_module | 1.00 |
| dan_kogai | encode_module | 2.40 |
| perl | perl | 5.13.5 |
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.13.1 |
| perl | perl | 5.12.2 |
| perl | perl | 5.13.9 |
| perl | perl | 5.14.1 |
| perl | perl | 5.13.7 |
| perl | perl | 5.13.11 |
| perl | perl | 5.11.5 |
| perl | perl | 5.13.6 |
| perl | perl | 5.16.1 |
| perl | perl | 5.14.2 |
| perl | perl | 5.12.3 |
| perl | perl | 5.12.1 |
| perl | perl | 5.13.4 |
| perl | perl | * |
| perl | perl | 5.13.0 |
| perl | perl | 5.11.4 |
| perl | perl | 5.10.0 |
| perl | perl | 5.11.0 |
| perl | perl | 5.16.0 |
| perl | perl | 5.13.3 |
| perl | perl | 5.11.3 |
| perl | perl | 5.10.1 |
| perl | perl | 5.13.2 |
| perl | perl | 5.11.2 |
| perl | perl | 5.12.0 |
| perl | perl | 5.13.10 |
| perl | perl | 5.13.8 |
| perl | perl | 5.10 |
| perl | perl | 5.11.1 |
| perl | perl | 5.14.0 |
| perl | perl | 5.13.5 |
| perl | perl | 5.14.3 |
The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.13.1 |
| perl | perl | 5.8.7 |
| perl | perl | 5.12.2 |
| perl | perl | 5.13.9 |
| perl | perl | 5.14.1 |
| perl | perl | 5.8.2 |
| perl | perl | 5.8.8 |
| perl | perl | 5.13.7 |
| perl | perl | 5.13.11 |
| perl | perl | 5.11.5 |
| perl | perl | 5.13.6 |
| perl | perl | 5.16.1 |
| perl | perl | 5.14.2 |
| perl | perl | 5.12.3 |
| perl | perl | 5.16.2 |
| perl | perl | 5.12.1 |
| perl | perl | 5.13.4 |
| perl | perl | 5.13.0 |
| perl | perl | 5.8.6 |
| perl | perl | 5.11.4 |
| perl | perl | 5.12.4 |
| perl | perl | 5.10.0 |
| perl | perl | 5.8.5 |
| perl | perl | 5.11.0 |
| perl | perl | 5.16.0 |
| perl | perl | 5.13.3 |
| perl | perl | 5.8.9 |
| perl | perl | 5.11.3 |
| perl | perl | 5.8.4 |
| perl | perl | 5.10.1 |
| perl | perl | 5.13.2 |
| perl | perl | 5.11.2 |
| perl | perl | 5.12.0 |
| perl | perl | 5.13.10 |
| perl | perl | 5.8.3 |
| perl | perl | 5.8.10 |
| perl | perl | 5.13.8 |
| perl | perl | 5.10 |
| perl | perl | 5.11.1 |
| perl | perl | 5.14.0 |
| perl | perl | 5.13.5 |
| perl | perl | 5.14.3 |
The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | cgi_application_module | * |
Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| perl | perl | 5.18.4 |
An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | dbi | * |
| canonical | ubuntu_linux | 14.04 |
An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | dbi | * |
An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L | 1.8 | 4.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | dbi | * |
An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L | 1.8 | 4.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | dbi | * |
The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
CVSS 2.0
Severity: LOW
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| data_dumper_project | data_dumper | * |
| perl | perl | * |
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | pathtools | * |
| canonical | ubuntu_linux | 15.10 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 15.04 |
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.22 |
The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | * |
| fedoraproject | fedora | 22 |
(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.003_28 |
| perl | perl | 5.8.7 |
| perl | perl | 5.13.9 |
| perl | perl | 5.003_14 |
| perl | perl | 5.13.11 |
| perl | perl | 5.17.2 |
| perl | perl | 5.8.1 |
| perl | perl | 5.11.5 |
| perl | perl | 5.000o |
| perl | perl | 5.17.4 |
| perl | perl | 5.16.1 |
| perl | perl | 5.003_11 |
| perl | perl | 5.12.1 |
| perl | perl | 5.003_05 |
| perl | perl | 5.003_97f |
| perl | perl | 5.19.1 |
| perl | perl | 5.9.4 |
| apache | spamassassin | * |
| perl | perl | 5.002_01 |
| opensuse | leap | 15.0 |
| perl | perl | 5.17.8 |
| perl | perl | 5.12.0 |
| perl | perl | 5.15.6 |
| perl | perl | 5.12.5 |
| perl | perl | 5.9.5 |
| perl | perl | 5.10 |
| perl | perl | 5.14.0 |
| perl | perl | 5.21.3 |
| perl | perl | 5.19.9 |
| perl | perl | 5.21.4 |
| perl | perl | 5.21.5 |
| perl | perl | 5.003_98 |
| perl | perl | 5.003_08 |
| perl | perl | 5.17.10 |
| perl | perl | 5.21.11 |
| perl | perl | 5.11.0 |
| perl | perl | 5.15.1 |
| perl | perl | 5.003_93 |
| perl | perl | 5.003 |
| perl | perl | 5.003_12 |
| perl | perl | 5.003_09 |
| perl | perl | 5.21.9 |
| perl | perl | 5.19.11 |
| perl | perl | 5.9.0 |
| perl | perl | 5.19.10 |
| perl | perl | 5.003_01 |
| perl | perl | 5.20.3 |
| perl | perl | 5.12.2 |
| perl | perl | 5.8.0 |
| perl | perl | 5.8 |
| perl | perl | 5.005_02 |
| perl | perl | 5.17.6 |
| perl | perl | 5.21.1 |
| perl | perl | 5.19.0 |
| perl | perl | 5.6.2 |
| perl | perl | 5.003_97 |
| perl | perl | 5.11.3 |
| perl | perl | 5.8.4 |
| perl | perl | 5.15.0 |
| perl | perl | 5.18.1 |
| perl | perl | 5.003_97h |
| perl | perl | 5.003_07 |
| perl | perl | 5.004_02 |
| perl | perl | 5.003_20 |
| perl | perl | 5.17.7 |
| perl | perl | 5.003_04 |
| perl | perl | 1.0.16 |
| perl | perl | 5.21.2 |
| perl | perl | 5.15.8 |
| perl | perl | 5.003_97c |
| perl | perl | 5.14.2 |
| perl | perl | 5.003_25 |
| perl | perl | 5.003_17 |
| perl | perl | 5.9.1 |
| perl | perl | 5.16.3 |
| perl | perl | 5.20.2 |
| perl | perl | 5.18.2 |
| perl | perl | 5.003_26 |
| perl | perl | 5.15.3 |
| perl | perl | 5.20.1 |
| perl | perl | 5.002 |
| perl | perl | 5.16.0 |
| perl | perl | 5.13.3 |
| perl | perl | 5.8.9 |
| perl | perl | 5.17.11 |
| perl | perl | 5.13.2 |
| perl | perl | 5.11.2 |
| perl | perl | 5.19.6 |
| perl | perl | 5.003_96 |
| perl | perl | 5.13.5 |
| perl | perl | 5.17.5 |
| perl | perl | 5.14.1 |
| perl | perl | 5.000 |
| perl | perl | 5.9.2 |
| perl | perl | 5.15.9 |
| perl | perl | 5.19.8 |
| perl | perl | 5.6 |
| perl | perl | 5.17.0 |
| perl | perl | 5.003_97g |
| perl | perl | 5.003_22 |
| perl | perl | 5.22.2 |
| perl | perl | 5.003_91 |
| perl | perl | 5.003_97b |
| perl | perl | 5.003_99a |
| perl | perl | 5.003_02 |
| perl | perl | 5.003_15 |
| perl | perl | 5.18.3 |
| perl | perl | 5.003_23 |
| perl | perl | 5.17.1 |
| perl | perl | 5.11.1 |
| perl | perl | 5.17.7.0 |
| perl | perl | 5.14.3 |
| perl | perl | 5.003_97d |
| perl | perl | 5.18.0 |
| perl | perl | 5.8.8 |
| perl | perl | 5.19.7 |
| perl | perl | 5.15.5 |
| perl | perl | 5.15.4 |
| perl | perl | 5.13.4 |
| perl | perl | 5.19.2 |
| perl | perl | 5.003_94 |
| perl | perl | 5.003_97a |
| perl | perl | 5.005_03 |
| perl | perl | 5.10.0 |
| perl | perl | 5.003_27 |
| perl | perl | 5.8.5 |
| perl | perl | 5.7.3 |
| perl | perl | 5.001 |
| perl | perl | 5.003_97e |
| perl | perl | 5.19.5 |
| fedoraproject | fedora | 24 |
| perl | perl | 5.21.7 |
| perl | perl | 5.10.1 |
| perl | perl | 5.19.4 |
| perl | perl | 5.005_04 |
| perl | perl | 5.14.4 |
| perl | perl | 5.13.1 |
| perl | perl | 5.004 |
| perl | perl | 5.005_01 |
| perl | perl | 5.21.0 |
| perl | perl | 5.18.4 |
| perl | perl | 5.004_05 |
| perl | perl | 5.003_95 |
| perl | perl | 5.22.0 |
| perl | perl | 5.001n |
| perl | perl | 5.15.2 |
| perl | perl | 5.22.1 |
| perl | perl | 5.11.4 |
| perl | perl | 5.003_21 |
| perl | perl | 5.12.4 |
| perl | perl | 5.6.1 |
| perl | perl | 5.003_24 |
| perl | perl | 5.004_04 |
| perl | perl | 5.24.0 |
| perl | perl | 5.003_13 |
| perl | perl | 5.004_01 |
| perl | perl | 5.003_10 |
| perl | perl | 5.6.0 |
| perl | perl | 5.8.2 |
| perl | perl | 5.13.7 |
| perl | perl | 5.003_97i |
| perl | perl | 5.22.3 |
| debian | debian_linux | 8.0 |
| perl | perl | 1.0.15 |
| perl | perl | 5.003_19 |
| perl | perl | 5.13.6 |
| perl | perl | 5.003_16 |
| perl | perl | 5.15.7 |
| perl | perl | 5.21.8 |
| perl | perl | 5.12.3 |
| perl | perl | 5.16.2 |
| perl | perl | 5.003_90 |
| perl | perl | 5.17.3 |
| perl | perl | 5.13.0 |
| perl | perl | 5.003_99 |
| perl | perl | 5.8.6 |
| perl | perl | 5.004_03 |
| perl | perl | 5.003_03 |
| perl | perl | 5.003_97j |
| perl | perl | 5.21.10 |
| perl | perl | 5.005 |
| perl | perl | 5.17.9 |
| perl | perl | 5.20.0 |
| perl | perl | 5.24.1 |
| fedoraproject | fedora | 23 |
| perl | perl | 5.003_92 |
| perl | perl | 5.9.3 |
| perl | perl | 5.13.10 |
| perl | perl | 5.8.3 |
| perl | perl | 5.13.8 |
| perl | perl | 5.21.6 |
| perl | perl | 5.003_18 |
| perl | perl | 5.19.3 |
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | timesten_in-memory_database | * |
| oracle | configuration_manager | * |
| oracle | database_server | 12.1.0.2 |
| oracle | configuration_manager | 12.1.2.0.6 |
| canonical | ubuntu_linux | 15.10 |
| oracle | database_server | 12.2.0.1 |
| oracle | enterprise_manager_base_platform | 13.2.0.0.0 |
| debian | debian_linux | 8.0 |
| oracle | communications_billing_and_revenue_management | 7.5 |
| oracle | solaris | 11.3 |
| oracle | database_server | 18c |
| oracle | enterprise_manager_base_platform | 13.3.0.0.0 |
| oracle | database_server | 19c |
| oracle | database_server | 11.2.0.4 |
| canonical | ubuntu_linux | 12.04 |
| perl | perl | * |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 7.0 |
| opensuse | opensuse | 13.2 |
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 12.04 |
| perl | perl | * |
| fedoraproject | fedora | 22 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 14.04 |
| oracle | solaris | 11.3 |
| oracle | solaris | 10 |
| fedoraproject | fedora | 23 |
| fedoraproject | fedora | 24 |
| canonical | ubuntu_linux | 17.10 |
Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.26.0 |
| perl | perl | * |
Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.26.0 |
| perl | perl | * |
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.26.0 |
| perl | perl | * |
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| debian | debian_linux | 8.0 |
| netapp | snap_creator_framework | - |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 16.04 |
| archive::tar_project | archive::tar | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 18.04 |
| perl | perl | * |
| netapp | data_ontap_edge | - |
| canonical | ubuntu_linux | 14.04 |
| netapp | snapdrive | - |
| netapp | oncommand_workflow_automation | - |
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_eus | 7.6 |
| redhat | enterprise_linux | 7.0 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_server | 7.0 |
| netapp | snap_creator_framework | - |
| redhat | enterprise_linux | 6.0 |
| netapp | snapdriver | - |
| redhat | enterprise_linux | 7.4 |
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux | 7.5 |
| canonical | ubuntu_linux | 18.04 |
| perl | perl | * |
| redhat | enterprise_linux_server_aus | 7.6 |
| fedoraproject | fedora | 29 |
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_linux_desktop | 7.0 |
| netapp | snapcenter | - |
| netapp | e-series_santricity_os_controller | - |
| redhat | enterprise_linux_server_tus | 7.6 |
| apple | mac_os_x | * |
| debian | debian_linux | 9.0 |
| mcafee | web_gateway | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 18.10 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux | 7.6 |
| redhat | openshift_container_platform | 3.11 |
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| netapp | snap_creator_framework | - |
| redhat | enterprise_linux | 6.0 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux | 7.4 |
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux | 7.5 |
| canonical | ubuntu_linux | 18.10 |
| redhat | enterprise_linux | 7.6 |
| canonical | ubuntu_linux | 18.04 |
| perl | perl | * |
| canonical | ubuntu_linux | 14.04 |
| netapp | snapdrive | - |
| netapp | e-series_santricity_os_controller | * |
| netapp | snapcenter | - |
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| redhat | enterprise_linux | 7.0 |
| netapp | snap_creator_framework | - |
| redhat | enterprise_linux | 6.0 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux | 7.4 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 12.04 |
| redhat | enterprise_linux | 7.5 |
| canonical | ubuntu_linux | 18.10 |
| redhat | enterprise_linux | 7.6 |
| canonical | ubuntu_linux | 18.04 |
| perl | perl | * |
| canonical | ubuntu_linux | 14.04 |
| netapp | snapdrive | - |
| netapp | e-series_santricity_os_controller | * |
| netapp | snapcenter | - |
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| netapp | snap_creator_framework | - |
| redhat | enterprise_linux | 6.0 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux | 7.4 |
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux | 7.5 |
| canonical | ubuntu_linux | 18.10 |
| redhat | enterprise_linux | 7.6 |
| canonical | ubuntu_linux | 18.04 |
| perl | perl | * |
| canonical | ubuntu_linux | 14.04 |
| netapp | snapdrive | - |
| netapp | e-series_santricity_os_controller | * |
| netapp | snapcenter | - |
An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server | 7.4 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_server | 7.0 |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_server | 7.3 |
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_server | 7.5 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_server | 7.6 |
| perl | perl | * |
An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server | 7.4 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_server | 7.0 |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_server | 7.3 |
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_server | 7.5 |
| redhat | enterprise_linux_workstation | 7.0 |
| perl | perl | * |
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_linux_server | 6.0 |
| debian | debian_linux | 7.0 |
Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 12.04 |
| perl | perl | * |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 17.10 |
An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.0 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 15.2 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 18.04 |
| perl | dbi | * |
| canonical | ubuntu_linux | 14.04 |
| fedoraproject | fedora | 31 |
| opensuse | leap | 15.1 |
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | 3.9 | 4.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | configuration_manager | 12.1.2.0.8 |
| oracle | communications_lsms | * |
| oracle | communications_eagle_lnp_application_processor | 46.8 |
| oracle | communications_eagle_lnp_application_processor | 10.2 |
| oracle | communications_eagle_application_processor | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | communications_billing_and_revenue_management | 12.0.0.2.0 |
| oracle | communications_offline_mediation_controller | 12.0.0.3.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | communications_eagle_lnp_application_processor | 10.1 |
| opensuse | leap | 15.1 |
| oracle | sd-wan_edge | 9.0 |
| oracle | communications_performance_intelligence_center | * |
| oracle | communications_pricing_design_center | 12.0.0.3.0 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | communications_eagle_lnp_application_processor | 46.9 |
| oracle | sd-wan_edge | 8.2 |
| perl | perl | * |
| oracle | tekelec_platform_distribution | * |
| oracle | sd-wan_edge | 9.1 |
| oracle | communications_eagle_lnp_application_processor | 46.7 |
| fedoraproject | fedora | 31 |
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 3.9 | 4.7 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_lsms | * |
| oracle | sd-wan_aware | 9.1 |
| oracle | communications_eagle_lnp_application_processor | 46.8 |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| netapp | snap_creator_framework | - |
| oracle | communications_offline_mediation_controller | 12.0.0.3.0 |
| oracle | communications_eagle_lnp_application_processor | 10.1 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| perl | perl | * |
| oracle | tekelec_platform_distribution | * |
| oracle | sd-wan_aware | 8.2 |
| oracle | configuration_manager | 12.1.2.0.8 |
| oracle | communications_eagle_lnp_application_processor | 10.2 |
| oracle | communications_eagle_application_processor | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.2.0 |
| oracle | communications_diameter_signaling_router | * |
| opensuse | leap | 15.1 |
| oracle | communications_performance_intelligence_center | * |
| oracle | sd-wan_aware | 9.0 |
| oracle | communications_pricing_design_center | 12.0.0.3.0 |
| oracle | communications_eagle_lnp_application_processor | 46.9 |
| oracle | communications_eagle_lnp_application_processor | 46.7 |
| fedoraproject | fedora | 31 |
| netapp | oncommand_workflow_automation | - |
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | configuration_manager | 12.1.2.0.8 |
| oracle | communications_lsms | * |
| oracle | communications_eagle_lnp_application_processor | 10.2 |
| oracle | communications_eagle_application_processor | * |
| oracle | communications_billing_and_revenue_management | 12.0.0.3.0 |
| oracle | communications_billing_and_revenue_management | 12.0.0.2.0 |
| netapp | snap_creator_framework | - |
| oracle | communications_offline_mediation_controller | 12.0.0.3.0 |
| oracle | communications_diameter_signaling_router | * |
| oracle | communications_eagle_lnp_application_processor | 10.1 |
| opensuse | leap | 15.1 |
| oracle | sd-wan_edge | 9.0 |
| oracle | communications_performance_intelligence_center | * |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | sd-wan_edge | 8.2 |
| perl | perl | * |
| oracle | tekelec_platform_distribution | * |
| oracle | sd-wan_edge | 9.1 |
| fedoraproject | fedora | 31 |
| netapp | oncommand_workflow_automation | - |
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-822,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 15.2 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 18.04 |
| perl | database_interface | * |
| canonical | ubuntu_linux | 14.04 |
| fedoraproject | fedora | 31 |
| opensuse | leap | 15.1 |
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.
CVSS 2.0
Severity: LOW
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| opensuse | leap | 15.2 |
| perl | database_interface | * |
| fedoraproject | fedora | 31 |
CPAN 2.28 allows Signature Verification Bypass.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-347,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
| perl | comprehensive_perl_archive_network | 2.28 |
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | 5.34.0 |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cpanpm_project | cpanpm | * |
| perl | perl | * |
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| http::tiny_project | http::tiny | * |
| perl | perl | * |
A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| secalert@redhat.com | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux_aus | 9.4 |
| perl | perl | * |
| fedoraproject | fedora | 39 |
| perl | perl | 5.34.0 |
| redhat | enterprise_linux_eus | 9.4 |
| redhat | enterprise_linux | 9.0 |
A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| secalert@redhat.com | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | * |
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | * |
A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 3.9 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| perl | perl | * |