CVE-2012-2451 - The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, whi

CVE-2012-2451

Summary

The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. NOTE: some of these details are obtained from third party information. NOTE: it has been reported that this might only be exploitable by writing in the same directory as the .ini file. If this is the case, then this issue might not cross privilege boundaries.

References

Vulnerable Configurations

cpe:2.3:a:shlomi_fish:config-inifiles:*:*:*:*:*:*:*:*
cpe:2.3:a:shlomi_fish:config-inifiles:*:*:*:*:*:*:*:*

CVSS

Base:	3.6 (as of 29-08-2017 - 01:31)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:L/Au:N/C:N/I:P/A:P

refmap via4

bid	53361
confirm	https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59
fedora	FEDORA-2012-7763 FEDORA-2012-7777 FEDORA-2012-7802
misc	https://bugzilla.redhat.com/show_bug.cgi?id=818386
mlist	[oss-security] 20120502 temporary file issue in Config::IniFiles Config-IniFiles perl-Config-IniFiles
osvdb	81671
secunia	48990
ubuntu	USN-1543-1
xf	config-inifiles-symlink(75328)

Last major update

29-08-2017 - 01:31

Published

27-06-2012 - 21:55

Last modified

29-08-2017 - 01:31