Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-12015 (GCVE-0-2018-12015)
Vulnerability from cvelistv5 – Published: 2018-06-07 13:00 – Updated: 2024-08-05 08:24
VLAI?
EPSS
Summary
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
12 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/104423 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1041048 | vdb-entryx_refsource_SECTRACK |
| https://www.debian.org/security/2018/dsa-4226 | vendor-advisoryx_refsource_DEBIAN |
| https://usn.ubuntu.com/3684-1/ | vendor-advisoryx_refsource_UBUNTU |
| https://usn.ubuntu.com/3684-2/ | vendor-advisoryx_refsource_UBUNTU |
| https://seclists.org/bugtraq/2019/Mar/42 | mailing-listx_refsource_BUGTRAQ |
| http://seclists.org/fulldisclosure/2019/Mar/49 | mailing-listx_refsource_FULLDISC |
| https://access.redhat.com/errata/RHSA-2019:2097 | vendor-advisoryx_refsource_REDHAT |
| https://www.oracle.com/security-alerts/cpujul2020.html | x_refsource_MISC |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug… | x_refsource_CONFIRM |
| https://security.netapp.com/advisory/ntap-2018092… | x_refsource_CONFIRM |
| https://support.apple.com/kb/HT209600 | x_refsource_CONFIRM |
Date Public ?
2018-06-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104423",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104423"
},
{
"name": "1041048",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1041048"
},
{
"name": "DSA-4226",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"name": "USN-3684-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3684-1/"
},
{
"name": "USN-3684-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3684-2/"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"name": "RHSA-2019:2097",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180927-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT209600"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-06-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-15T02:22:57.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "104423",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104423"
},
{
"name": "1041048",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1041048"
},
{
"name": "DSA-4226",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"name": "USN-3684-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3684-1/"
},
{
"name": "USN-3684-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3684-2/"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"name": "RHSA-2019:2097",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180927-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT209600"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12015",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104423",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104423"
},
{
"name": "1041048",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041048"
},
{
"name": "DSA-4226",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"name": "USN-3684-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3684-1/"
},
{
"name": "USN-3684-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3684-2/"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"name": "RHSA-2019:2097",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180927-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180927-0001/"
},
{
"name": "https://support.apple.com/kb/HT209600",
"refsource": "CONFIRM",
"url": "https://support.apple.com/kb/HT209600"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12015",
"datePublished": "2018-06-07T13:00:00.000Z",
"dateReserved": "2018-06-07T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:24:03.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2018-12015",
"date": "2026-05-25",
"epss": "0.16032",
"percentile": "0.94869"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B5A6F2F3-4894-4392-8296-3B8DD2679084\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9070C9D8-A14A-467F-8253-33B966C16886\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"5.26.2\", \"matchCriteriaId\": \"FA33F373-89C1-4FAD-9B80-7B2BD4388162\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:archive\\\\:\\\\:tar_project:archive\\\\:\\\\:tar:*:*:*:*:*:perl:*:*\", \"versionEndIncluding\": \"2.28\", \"matchCriteriaId\": \"52784FCD-EC91-4EF7-998B-E28F95B99B7D\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"10.14.4\", \"matchCriteriaId\": \"09CDBB72-2A0D-4321-BA1F-4FB326A5646A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0C4B1E5-75BF-43AE-BBAC-0DD4124C71ED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5735E553-9731-4AAC-BCFF-989377F817B3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9F4754FB-E3EB-454A-AB1A-AE3835C5350C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*\", \"matchCriteriaId\": \"61D7EF01-F618-497F-9375-8003CEA3D380\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.\"}, {\"lang\": \"es\", \"value\": \"En Perl hasta la versi\\u00f3n 5.26.2, el m\\u00f3dulo Archive::Tar permite que atacantes remotos omitan un mecanismo de protecci\\u00f3n de salto de directorio y sobrescriban archivos arbitrarios mediante un archivo comprimido que contiene un symlink y un archivo normal con el mismo nombre.\"}]",
"id": "CVE-2018-12015",
"lastModified": "2024-11-21T03:44:24.850",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:P\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": true, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2018-06-07T13:29:00.240",
"references": "[{\"url\": \"http://seclists.org/fulldisclosure/2019/Mar/49\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/104423\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1041048\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2097\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Mar/42\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20180927-0001/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://support.apple.com/kb/HT209600\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3684-1/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3684-2/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4226\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Mar/49\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/104423\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1041048\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2097\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Mar/42\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20180927-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://support.apple.com/kb/HT209600\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3684-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/3684-2/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4226\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-12015\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-06-07T13:29:00.240\",\"lastModified\":\"2024-11-21T03:44:24.850\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.\"},{\"lang\":\"es\",\"value\":\"En Perl hasta la versi\u00f3n 5.26.2, el m\u00f3dulo Archive::Tar permite que atacantes remotos omitan un mecanismo de protecci\u00f3n de salto de directorio y sobrescriban archivos arbitrarios mediante un archivo comprimido que contiene un symlink y un archivo normal con el mismo nombre.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B5A6F2F3-4894-4392-8296-3B8DD2679084\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9070C9D8-A14A-467F-8253-33B966C16886\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.26.2\",\"matchCriteriaId\":\"FA33F373-89C1-4FAD-9B80-7B2BD4388162\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:archive\\\\:\\\\:tar_project:archive\\\\:\\\\:tar:*:*:*:*:*:perl:*:*\",\"versionEndIncluding\":\"2.28\",\"matchCriteriaId\":\"52784FCD-EC91-4EF7-998B-E28F95B99B7D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.14.4\",\"matchCriteriaId\":\"09CDBB72-2A0D-4321-BA1F-4FB326A5646A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0C4B1E5-75BF-43AE-BBAC-0DD4124C71ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5735E553-9731-4AAC-BCFF-989377F817B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F4754FB-E3EB-454A-AB1A-AE3835C5350C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*\",\"matchCriteriaId\":\"61D7EF01-F618-497F-9375-8003CEA3D380\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2019/Mar/49\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/104423\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041048\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2097\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Mar/42\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20180927-0001/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209600\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3684-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3684-2/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4226\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://seclists.org/fulldisclosure/2019/Mar/49\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/104423\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1041048\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2097\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Mar/42\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20180927-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/kb/HT209600\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3684-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/3684-2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4226\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
CERTFR-2019-AVI-129
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Apple. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Apple | N/A | Apple iOS versions antérieures à 12.2 | ||
| Apple | macOS | Apple macOS Mojave versions antérieures à 10.14.4 | ||
| Apple | macOS | Apple macOS High Sierra sans le correctif de sécurité 2019-002 | ||
| Apple | N/A | Apple iTunes pour Windows versions antérieures à 12.9.4 | ||
| Apple | N/A | Apple tvOS versions antérieures à 12.2 | ||
| Apple | macOS | Apple macOS Sierra sans le correctif de sécurité 2019-002 | ||
| Apple | N/A | Apple Xcode versions antérieures à 10.2 | ||
| Apple | N/A | Apple iCloud pour Windows versions antérieures à 7.1 | ||
| Apple | Safari | Apple Safari versions antérieures à 12.1 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Apple iOS versions ant\u00e9rieures \u00e0 12.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple macOS Mojave versions ant\u00e9rieures \u00e0 10.14.4",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple macOS High Sierra sans le correctif de s\u00e9curit\u00e9 2019-002",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple iTunes pour Windows versions ant\u00e9rieures \u00e0 12.9.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple tvOS versions ant\u00e9rieures \u00e0 12.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple macOS Sierra sans le correctif de s\u00e9curit\u00e9 2019-002",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple Xcode versions ant\u00e9rieures \u00e0 10.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple iCloud pour Windows versions ant\u00e9rieures \u00e0 7.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple Safari versions ant\u00e9rieures \u00e0 12.1",
"product": {
"name": "Safari",
"vendor": {
"name": "Apple",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-6222",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6222"
},
{
"name": "CVE-2019-8544",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8544"
},
{
"name": "CVE-2019-8566",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8566"
},
{
"name": "CVE-2019-8524",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8524"
},
{
"name": "CVE-2019-8518",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8518"
},
{
"name": "CVE-2018-18313",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18313"
},
{
"name": "CVE-2019-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8565"
},
{
"name": "CVE-2019-6207",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6207"
},
{
"name": "CVE-2019-8507",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8507"
},
{
"name": "CVE-2019-8523",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8523"
},
{
"name": "CVE-2019-8536",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8536"
},
{
"name": "CVE-2019-8545",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8545"
},
{
"name": "CVE-2019-8511",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8511"
},
{
"name": "CVE-2019-8561",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8561"
},
{
"name": "CVE-2019-8550",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8550"
},
{
"name": "CVE-2019-8546",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8546"
},
{
"name": "CVE-2019-8504",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8504"
},
{
"name": "CVE-2019-7286",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7286"
},
{
"name": "CVE-2019-8522",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8522"
},
{
"name": "CVE-2019-8517",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8517"
},
{
"name": "CVE-2019-8515",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8515"
},
{
"name": "CVE-2019-8562",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8562"
},
{
"name": "CVE-2019-6239",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6239"
},
{
"name": "CVE-2019-8540",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8540"
},
{
"name": "CVE-2019-8502",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8502"
},
{
"name": "CVE-2019-8526",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8526"
},
{
"name": "CVE-2019-8529",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8529"
},
{
"name": "CVE-2019-6201",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6201"
},
{
"name": "CVE-2019-8503",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8503"
},
{
"name": "CVE-2019-8549",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8549"
},
{
"name": "CVE-2018-4461",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4461"
},
{
"name": "CVE-2019-7293",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7293"
},
{
"name": "CVE-2019-8567",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8567"
},
{
"name": "CVE-2018-18311",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18311"
},
{
"name": "CVE-2019-8563",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8563"
},
{
"name": "CVE-2019-6237",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6237"
},
{
"name": "CVE-2019-8514",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8514"
},
{
"name": "CVE-2019-8556",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8556"
},
{
"name": "CVE-2019-8513",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8513"
},
{
"name": "CVE-2019-8512",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8512"
},
{
"name": "CVE-2019-8510",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8510"
},
{
"name": "CVE-2018-12015",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12015"
},
{
"name": "CVE-2019-8527",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8527"
},
{
"name": "CVE-2019-8516",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8516"
},
{
"name": "CVE-2019-8508",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8508"
},
{
"name": "CVE-2019-8533",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8533"
},
{
"name": "CVE-2019-8558",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8558"
},
{
"name": "CVE-2019-8530",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8530"
},
{
"name": "CVE-2019-8553",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8553"
},
{
"name": "CVE-2019-8505",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8505"
},
{
"name": "CVE-2019-8520",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8520"
},
{
"name": "CVE-2019-8506",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8506"
},
{
"name": "CVE-2019-8542",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8542"
},
{
"name": "CVE-2019-8535",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8535"
},
{
"name": "CVE-2019-7284",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7284"
},
{
"name": "CVE-2019-8555",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8555"
},
{
"name": "CVE-2019-6236",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6236"
},
{
"name": "CVE-2019-8537",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8537"
},
{
"name": "CVE-2019-7292",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7292"
},
{
"name": "CVE-2019-6204",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6204"
},
{
"name": "CVE-2019-8521",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8521"
},
{
"name": "CVE-2019-8519",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8519"
},
{
"name": "CVE-2019-8551",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8551"
},
{
"name": "CVE-2019-8541",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8541"
},
{
"name": "CVE-2019-6232",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6232"
},
{
"name": "CVE-2019-8559",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8559"
},
{
"name": "CVE-2019-8552",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8552"
},
{
"name": "CVE-2019-7285",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7285"
},
{
"name": "CVE-2019-8554",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8554"
}
],
"links": [],
"reference": "CERTFR-2019-AVI-129",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-03-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Apple.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service et un contournement de\nla politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Apple",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209599 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209599"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209601 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209601"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209604 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209604"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209605 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209605"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209603 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209603"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209600 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209600"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209606 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209606"
}
]
}
CERTFR-2019-AVI-129
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Apple. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Apple | N/A | Apple iOS versions antérieures à 12.2 | ||
| Apple | macOS | Apple macOS Mojave versions antérieures à 10.14.4 | ||
| Apple | macOS | Apple macOS High Sierra sans le correctif de sécurité 2019-002 | ||
| Apple | N/A | Apple iTunes pour Windows versions antérieures à 12.9.4 | ||
| Apple | N/A | Apple tvOS versions antérieures à 12.2 | ||
| Apple | macOS | Apple macOS Sierra sans le correctif de sécurité 2019-002 | ||
| Apple | N/A | Apple Xcode versions antérieures à 10.2 | ||
| Apple | N/A | Apple iCloud pour Windows versions antérieures à 7.1 | ||
| Apple | Safari | Apple Safari versions antérieures à 12.1 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Apple iOS versions ant\u00e9rieures \u00e0 12.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple macOS Mojave versions ant\u00e9rieures \u00e0 10.14.4",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple macOS High Sierra sans le correctif de s\u00e9curit\u00e9 2019-002",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple iTunes pour Windows versions ant\u00e9rieures \u00e0 12.9.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple tvOS versions ant\u00e9rieures \u00e0 12.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple macOS Sierra sans le correctif de s\u00e9curit\u00e9 2019-002",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple Xcode versions ant\u00e9rieures \u00e0 10.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple iCloud pour Windows versions ant\u00e9rieures \u00e0 7.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Apple Safari versions ant\u00e9rieures \u00e0 12.1",
"product": {
"name": "Safari",
"vendor": {
"name": "Apple",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-6222",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6222"
},
{
"name": "CVE-2019-8544",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8544"
},
{
"name": "CVE-2019-8566",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8566"
},
{
"name": "CVE-2019-8524",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8524"
},
{
"name": "CVE-2019-8518",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8518"
},
{
"name": "CVE-2018-18313",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18313"
},
{
"name": "CVE-2019-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8565"
},
{
"name": "CVE-2019-6207",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6207"
},
{
"name": "CVE-2019-8507",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8507"
},
{
"name": "CVE-2019-8523",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8523"
},
{
"name": "CVE-2019-8536",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8536"
},
{
"name": "CVE-2019-8545",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8545"
},
{
"name": "CVE-2019-8511",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8511"
},
{
"name": "CVE-2019-8561",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8561"
},
{
"name": "CVE-2019-8550",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8550"
},
{
"name": "CVE-2019-8546",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8546"
},
{
"name": "CVE-2019-8504",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8504"
},
{
"name": "CVE-2019-7286",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7286"
},
{
"name": "CVE-2019-8522",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8522"
},
{
"name": "CVE-2019-8517",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8517"
},
{
"name": "CVE-2019-8515",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8515"
},
{
"name": "CVE-2019-8562",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8562"
},
{
"name": "CVE-2019-6239",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6239"
},
{
"name": "CVE-2019-8540",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8540"
},
{
"name": "CVE-2019-8502",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8502"
},
{
"name": "CVE-2019-8526",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8526"
},
{
"name": "CVE-2019-8529",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8529"
},
{
"name": "CVE-2019-6201",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6201"
},
{
"name": "CVE-2019-8503",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8503"
},
{
"name": "CVE-2019-8549",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8549"
},
{
"name": "CVE-2018-4461",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-4461"
},
{
"name": "CVE-2019-7293",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7293"
},
{
"name": "CVE-2019-8567",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8567"
},
{
"name": "CVE-2018-18311",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18311"
},
{
"name": "CVE-2019-8563",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8563"
},
{
"name": "CVE-2019-6237",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6237"
},
{
"name": "CVE-2019-8514",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8514"
},
{
"name": "CVE-2019-8556",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8556"
},
{
"name": "CVE-2019-8513",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8513"
},
{
"name": "CVE-2019-8512",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8512"
},
{
"name": "CVE-2019-8510",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8510"
},
{
"name": "CVE-2018-12015",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12015"
},
{
"name": "CVE-2019-8527",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8527"
},
{
"name": "CVE-2019-8516",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8516"
},
{
"name": "CVE-2019-8508",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8508"
},
{
"name": "CVE-2019-8533",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8533"
},
{
"name": "CVE-2019-8558",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8558"
},
{
"name": "CVE-2019-8530",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8530"
},
{
"name": "CVE-2019-8553",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8553"
},
{
"name": "CVE-2019-8505",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8505"
},
{
"name": "CVE-2019-8520",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8520"
},
{
"name": "CVE-2019-8506",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8506"
},
{
"name": "CVE-2019-8542",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8542"
},
{
"name": "CVE-2019-8535",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8535"
},
{
"name": "CVE-2019-7284",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7284"
},
{
"name": "CVE-2019-8555",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8555"
},
{
"name": "CVE-2019-6236",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6236"
},
{
"name": "CVE-2019-8537",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8537"
},
{
"name": "CVE-2019-7292",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7292"
},
{
"name": "CVE-2019-6204",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6204"
},
{
"name": "CVE-2019-8521",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8521"
},
{
"name": "CVE-2019-8519",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8519"
},
{
"name": "CVE-2019-8551",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8551"
},
{
"name": "CVE-2019-8541",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8541"
},
{
"name": "CVE-2019-6232",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6232"
},
{
"name": "CVE-2019-8559",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8559"
},
{
"name": "CVE-2019-8552",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8552"
},
{
"name": "CVE-2019-7285",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-7285"
},
{
"name": "CVE-2019-8554",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8554"
}
],
"links": [],
"reference": "CERTFR-2019-AVI-129",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-03-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Apple.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service et un contournement de\nla politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Apple",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209599 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209599"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209601 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209601"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209604 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209604"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209605 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209605"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209603 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209603"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209600 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209600"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT209606 du 25 mars 2019",
"url": "https://support.apple.com/en-us/HT209606"
}
]
}
BDU:2019-00435
Vulnerability from fstec - Published: 07.06.2018
VLAI Severity ?
Title
Уязвимость модуля Archive::Tar интерпретатора языка программирования Perl, позволяющая нарушителю обойти установленный контроль доступа и нарушить целостность информации
Description
Уязвимость модуля Archive::Tar интерпретатора языка программирования Perl связана с ошибкой механизма защиты обхода каталогов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, обойти установленный контроль доступа и перезаписать произвольный файл через архивный файл, содержащий символическую ссылку и обычный файл с тем же именем
Severity ?
Vendor
ООО «РусБИТех-Астра», Сообщество свободного программного обеспечения
Software Name
Astra Linux Special Edition (запись в едином реестре российских программ №369), Debian GNU/Linux, Perl
Software Version
1.5 «Смоленск» (Astra Linux Special Edition), 9 (Debian GNU/Linux), 1.6 «Смоленск» (Astra Linux Special Edition), до 5.26.2 включительно (Perl), 8 (Debian GNU/Linux)
Possible Mitigations
Для Perl:
Обновление программного обеспечения до 5.28.1 или более поздней версии
Для Debian:
Обновление программного обеспечения (пакета perl) до 5.20.2-3+deb8u11 или более поздней версии
Для Astra Linux:
Обновление программного обеспечения (пакета perl) до 5.20.2-3+deb8u11 или более поздней версии
Reference
https://rt.cpan.org/Public/Bug/Display.html?id=125523
https://nvd.nist.gov/vuln/detail/CVE-2018-12015
https://security-tracker.debian.org/tracker/CVE-2018-12015
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834
https://wiki.astralinux.ru/pages/viewpage.action?pageId=1212483
CWE
CWE-22
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.5 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 9 (Debian GNU/Linux), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), \u0434\u043e 5.26.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Perl), 8 (Debian GNU/Linux)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Perl:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e 5.28.1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f Debian:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 perl) \u0434\u043e 5.20.2-3+deb8u11 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f Astra Linux:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 perl) \u0434\u043e 5.20.2-3+deb8u11 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "07.06.2018",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "23.03.2021",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "05.02.2019",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2019-00435",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2018-12015",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Debian GNU/Linux, Perl",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f Archive::Tar \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f Perl, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0438\u043c\u0435\u043d\u0438 \u043f\u0443\u0442\u0438 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443 \u0441 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c (\u00ab\u041e\u0431\u0445\u043e\u0434 \u043f\u0443\u0442\u0438\u00bb) (CWE-22)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044f Archive::Tar \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f Perl \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u043e\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0437\u0430\u0449\u0438\u0442\u044b \u043e\u0431\u0445\u043e\u0434\u0430 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0431\u043e\u0439\u0442\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u0430\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u0444\u0430\u0439\u043b \u0447\u0435\u0440\u0435\u0437 \u0430\u0440\u0445\u0438\u0432\u043d\u044b\u0439 \u0444\u0430\u0439\u043b, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0439 \u0441\u0438\u043c\u0432\u043e\u043b\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0441\u0441\u044b\u043b\u043a\u0443 \u0438 \u043e\u0431\u044b\u0447\u043d\u044b\u0439 \u0444\u0430\u0439\u043b \u0441 \u0442\u0435\u043c \u0436\u0435 \u0438\u043c\u0435\u043d\u0435\u043c",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "-",
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://rt.cpan.org/Public/Bug/Display.html?id=125523\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-12015\nhttps://security-tracker.debian.org/tracker/CVE-2018-12015\nhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834\nhttps://wiki.astralinux.ru/pages/viewpage.action?pageId=1212483",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-22",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,4)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
CNVD-2018-11297
Vulnerability from cnvd - Published: 2018-06-12
VLAI Severity ?
Title
Perl目录遍历漏洞
Description
Perl是美国程序员拉里-沃尔(Larry Wall)所研发的一种免费且功能强大的跨平台编程语言。Archive::Tar module是其中的一个用于处理tar文件的模块。
Perl 5.26.2及之前版本中的Archive::Tar模块存在安全漏洞。攻击者可借助带有相同名称的符号链接和常规文件的归档文件利用该漏洞绕过目录遍历保护机制并覆盖任意文件。
Severity
中
Patch Name
Perl目录遍历漏洞的补丁
Patch Description
Perl是美国程序员拉里-沃尔(Larry Wall)所研发的一种免费且功能强大的跨平台编程语言。Archive::Tar module是其中的一个用于处理tar文件的模块。
Perl 5.26.2及之前版本中的Archive::Tar模块存在安全漏洞。攻击者可借助带有相同名称的符号链接和常规文件的归档文件利用该漏洞绕过目录遍历保护机制并覆盖任意文件。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布漏洞修复程序,请及时关注更新: https://rt.cpan.org/Public/Bug/Display.html?id=125523
Reference
https://securitytracker.com/id/1041048
Impacted products
| Name | Perl.org Perl <=5.26.2 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-12015"
}
},
"description": "Perl\u662f\u7f8e\u56fd\u7a0b\u5e8f\u5458\u62c9\u91cc-\u6c83\u5c14\uff08Larry Wall\uff09\u6240\u7814\u53d1\u7684\u4e00\u79cd\u514d\u8d39\u4e14\u529f\u80fd\u5f3a\u5927\u7684\u8de8\u5e73\u53f0\u7f16\u7a0b\u8bed\u8a00\u3002Archive::Tar module\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7528\u4e8e\u5904\u7406tar\u6587\u4ef6\u7684\u6a21\u5757\u3002\r\n\r\nPerl 5.26.2\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u7684Archive::Tar\u6a21\u5757\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u5e26\u6709\u76f8\u540c\u540d\u79f0\u7684\u7b26\u53f7\u94fe\u63a5\u548c\u5e38\u89c4\u6587\u4ef6\u7684\u5f52\u6863\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u76ee\u5f55\u904d\u5386\u4fdd\u62a4\u673a\u5236\u5e76\u8986\u76d6\u4efb\u610f\u6587\u4ef6\u3002",
"discovererName": "Unknow",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://rt.cpan.org/Public/Bug/Display.html?id=125523",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-11297",
"openTime": "2018-06-12",
"patchDescription": "Perl\u662f\u7f8e\u56fd\u7a0b\u5e8f\u5458\u62c9\u91cc-\u6c83\u5c14\uff08Larry Wall\uff09\u6240\u7814\u53d1\u7684\u4e00\u79cd\u514d\u8d39\u4e14\u529f\u80fd\u5f3a\u5927\u7684\u8de8\u5e73\u53f0\u7f16\u7a0b\u8bed\u8a00\u3002Archive::Tar module\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7528\u4e8e\u5904\u7406tar\u6587\u4ef6\u7684\u6a21\u5757\u3002\r\n\r\nPerl 5.26.2\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u7684Archive::Tar\u6a21\u5757\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u5e26\u6709\u76f8\u540c\u540d\u79f0\u7684\u7b26\u53f7\u94fe\u63a5\u548c\u5e38\u89c4\u6587\u4ef6\u7684\u5f52\u6863\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u76ee\u5f55\u904d\u5386\u4fdd\u62a4\u673a\u5236\u5e76\u8986\u76d6\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Perl\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Perl.org Perl \u003c=5.26.2"
},
"referenceLink": "https://securitytracker.com/id/1041048",
"serverity": "\u4e2d",
"submitTime": "2018-06-11",
"title": "Perl\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}
FKIE_CVE-2018-12015
Vulnerability from fkie_nvd - Published: 2018-06-07 13:29 - Updated: 2024-11-21 03:44
Severity ?
Summary
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 17.10 | |
| canonical | ubuntu_linux | 18.04 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| perl | perl | * | |
| archive\ | \ | tar_project | |
| apple | mac_os_x | * | |
| netapp | data_ontap_edge | - | |
| netapp | oncommand_workflow_automation | - | |
| netapp | snap_creator_framework | - | |
| netapp | snapdrive | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA33F373-89C1-4FAD-9B80-7B2BD4388162",
"versionEndIncluding": "5.26.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*",
"matchCriteriaId": "52784FCD-EC91-4EF7-998B-E28F95B99B7D",
"versionEndIncluding": "2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09CDBB72-2A0D-4321-BA1F-4FB326A5646A",
"versionEndExcluding": "10.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E0C4B1E5-75BF-43AE-BBAC-0DD4124C71ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9F4754FB-E3EB-454A-AB1A-AE3835C5350C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*",
"matchCriteriaId": "61D7EF01-F618-497F-9375-8003CEA3D380",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name."
},
{
"lang": "es",
"value": "En Perl hasta la versi\u00f3n 5.26.2, el m\u00f3dulo Archive::Tar permite que atacantes remotos omitan un mecanismo de protecci\u00f3n de salto de directorio y sobrescriban archivos arbitrarios mediante un archivo comprimido que contiene un symlink y un archivo normal con el mismo nombre."
}
],
"id": "CVE-2018-12015",
"lastModified": "2024-11-21T03:44:24.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-07T13:29:00.240",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104423"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041048"
},
{
"source": "cve@mitre.org",
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180927-0001/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT209600"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3684-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3684-2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104423"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041048"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180927-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT209600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3684-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3684-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-44R9-882W-XW5M
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI?
Details
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
Severity ?
7.5 (High)
{
"affected": [],
"aliases": [
"CVE-2018-12015"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-07T13:29:00Z",
"severity": "HIGH"
},
"details": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.",
"id": "GHSA-44r9-882w-xw5m",
"modified": "2022-05-13T01:18:58Z",
"published": "2022-05-13T01:18:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180927-0001"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209600"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3684-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3684-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104423"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041048"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GSD-2018-12015
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-12015",
"description": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.",
"id": "GSD-2018-12015",
"references": [
"https://www.suse.com/security/cve/CVE-2018-12015.html",
"https://www.debian.org/security/2018/dsa-4226",
"https://access.redhat.com/errata/RHSA-2019:2097",
"https://ubuntu.com/security/CVE-2018-12015",
"https://alas.aws.amazon.com/cve/html/CVE-2018-12015.html",
"https://linux.oracle.com/cve/CVE-2018-12015.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-12015"
],
"details": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.",
"id": "GSD-2018-12015",
"modified": "2023-12-13T01:22:29.921301Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12015",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104423",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104423"
},
{
"name": "1041048",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1041048"
},
{
"name": "DSA-4226",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"name": "USN-3684-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3684-1/"
},
{
"name": "USN-3684-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3684-2/"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"name": "RHSA-2019:2097",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180927-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180927-0001/"
},
{
"name": "https://support.apple.com/kb/HT209600",
"refsource": "CONFIRM",
"url": "https://support.apple.com/kb/HT209600"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "5.26.2",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*",
"cpe_name": [],
"versionEndIncluding": "2.28",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "10.14.4",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12015"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834"
},
{
"name": "1041048",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1041048"
},
{
"name": "DSA-4226",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4226"
},
{
"name": "104423",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104423"
},
{
"name": "USN-3684-2",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3684-2/"
},
{
"name": "USN-3684-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3684-1/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180927-0001/",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20180927-0001/"
},
{
"name": "https://support.apple.com/kb/HT209600",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT209600"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"refsource": "BUGTRAQ",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Mar/42"
},
{
"name": "20190326 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra",
"refsource": "FULLDISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Mar/49"
},
{
"name": "RHSA-2019:2097",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": true,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-08-24T17:37Z",
"publishedDate": "2018-06-07T13:29Z"
}
}
}
RHSA-2019:2097
Vulnerability from csaf_redhat - Published: 2019-08-06 14:19 - Updated: 2026-04-21 13:31Summary
Red Hat Security Advisory: perl-Archive-Tar security update
Severity
Moderate
Notes
Topic: An update for perl-Archive-Tar is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Archive::Tar module provides a mechanism for Perl scripts to manipulate tar archive files.
Security Fix(es):
* perl: Directory traversal in Archive::Tar (CVE-2018-12015)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
5.4 (Medium)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for perl-Archive-Tar is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Archive::Tar module provides a mechanism for Perl scripts to manipulate tar archive files.\n\nSecurity Fix(es):\n\n* perl: Directory traversal in Archive::Tar (CVE-2018-12015)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2097",
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index"
},
{
"category": "external",
"summary": "1588760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588760"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2097.json"
}
],
"title": "Red Hat Security Advisory: perl-Archive-Tar security update",
"tracking": {
"current_release_date": "2026-04-21T13:31:02+00:00",
"generator": {
"date": "2026-04-21T13:31:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2019:2097",
"initial_release_date": "2019-08-06T14:19:51+00:00",
"revision_history": [
{
"date": "2019-08-06T14:19:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-06T14:19:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-21T13:31:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-Archive-Tar-0:1.92-3.el7.src",
"product": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src",
"product_id": "perl-Archive-Tar-0:1.92-3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl-Archive-Tar@1.92-3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"product": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"product_id": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl-Archive-Tar@1.92-3.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7Client-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7Client-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7ComputeNode-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7Server-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7Server-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7Workstation-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7Workstation-7.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-12015",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588760"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Directory traversal in Archive::Tar",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12015"
},
{
"category": "external",
"summary": "RHBZ#1588760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588760"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12015",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12015"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-06T14:19:51+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Directory traversal in Archive::Tar"
}
]
}
RHSA-2019_2097
Vulnerability from csaf_redhat - Published: 2019-08-06 14:19 - Updated: 2024-11-22 12:34Summary
Red Hat Security Advisory: perl-Archive-Tar security update
Severity
Moderate
Notes
Topic: An update for perl-Archive-Tar is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Archive::Tar module provides a mechanism for Perl scripts to manipulate tar archive files.
Security Fix(es):
* perl: Directory traversal in Archive::Tar (CVE-2018-12015)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
5.4 (Medium)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for perl-Archive-Tar is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Archive::Tar module provides a mechanism for Perl scripts to manipulate tar archive files.\n\nSecurity Fix(es):\n\n* perl: Directory traversal in Archive::Tar (CVE-2018-12015)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2097",
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index"
},
{
"category": "external",
"summary": "1588760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588760"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2097.json"
}
],
"title": "Red Hat Security Advisory: perl-Archive-Tar security update",
"tracking": {
"current_release_date": "2024-11-22T12:34:00+00:00",
"generator": {
"date": "2024-11-22T12:34:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2097",
"initial_release_date": "2019-08-06T14:19:51+00:00",
"revision_history": [
{
"date": "2019-08-06T14:19:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-06T14:19:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T12:34:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-Archive-Tar-0:1.92-3.el7.src",
"product": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src",
"product_id": "perl-Archive-Tar-0:1.92-3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl-Archive-Tar@1.92-3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"product": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"product_id": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl-Archive-Tar@1.92-3.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7Client-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7Client-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7ComputeNode-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7ComputeNode-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7Server-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7Server-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.noarch",
"relates_to_product_reference": "7Workstation-7.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Archive-Tar-0:1.92-3.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
},
"product_reference": "perl-Archive-Tar-0:1.92-3.el7.src",
"relates_to_product_reference": "7Workstation-7.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-12015",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588760"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Directory traversal in Archive::Tar",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12015"
},
{
"category": "external",
"summary": "RHBZ#1588760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588760"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12015",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12015"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-06T14:19:51+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2097"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Client-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7ComputeNode-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Server-7.7:perl-Archive-Tar-0:1.92-3.el7.src",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.noarch",
"7Workstation-7.7:perl-Archive-Tar-0:1.92-3.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Directory traversal in Archive::Tar"
}
]
}
RHSA-2026:7604
Vulnerability from csaf_redhat - Published: 2026-04-10 22:59 - Updated: 2026-04-21 13:31Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
perl:
* perl-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-Attribute-Handlers-1.03-524.1.hum1 (noarch)
* perl-AutoLoader-5.74-524.1.hum1 (noarch)
* perl-AutoSplit-5.74-524.1.hum1 (noarch)
* perl-B-1.89-524.1.hum1 (aarch64, x86_64)
* perl-Benchmark-1.27-524.1.hum1 (noarch)
* perl-Class-Struct-0.68-524.1.hum1 (noarch)
* perl-Config-Extensions-0.03-524.1.hum1 (noarch)
* perl-DBM_Filter-0.07-524.1.hum1 (noarch)
* perl-Devel-Peek-1.36-524.1.hum1 (aarch64, x86_64)
* perl-Devel-SelfStubber-1.06-524.1.hum1 (noarch)
* perl-DirHandle-1.05-524.1.hum1 (noarch)
* perl-Dumpvalue-2.27-524.1.hum1 (noarch)
* perl-DynaLoader-1.57-524.1.hum1 (aarch64, x86_64)
* perl-English-1.11-524.1.hum1 (noarch)
* perl-Errno-1.38-524.1.hum1 (aarch64, x86_64)
* perl-ExtUtils-Constant-0.25-524.1.hum1 (noarch)
* perl-ExtUtils-Embed-1.35-524.1.hum1 (noarch)
* perl-ExtUtils-Miniperl-1.14-524.1.hum1 (noarch)
* perl-Fcntl-1.20-524.1.hum1 (aarch64, x86_64)
* perl-File-Basename-2.86-524.1.hum1 (noarch)
* perl-File-Compare-1.100.800-524.1.hum1 (noarch)
* perl-File-Copy-2.41-524.1.hum1 (noarch)
* perl-File-DosGlob-1.12-524.1.hum1 (aarch64, x86_64)
* perl-File-Find-1.44-524.1.hum1 (noarch)
* perl-File-stat-1.14-524.1.hum1 (noarch)
* perl-FileCache-1.10-524.1.hum1 (noarch)
* perl-FileHandle-2.05-524.1.hum1 (noarch)
* perl-FindBin-1.54-524.1.hum1 (noarch)
* perl-GDBM_File-1.24-524.1.hum1 (aarch64, x86_64)
* perl-Getopt-Std-1.14-524.1.hum1 (noarch)
* perl-Hash-Util-0.32-524.1.hum1 (aarch64, x86_64)
* perl-Hash-Util-FieldHash-1.27-524.1.hum1 (aarch64, x86_64)
* perl-I18N-Collate-1.02-524.1.hum1 (noarch)
* perl-I18N-LangTags-0.45-524.1.hum1 (noarch)
* perl-I18N-Langinfo-0.24-524.1.hum1 (aarch64, x86_64)
* perl-IO-1.55-524.1.hum1 (aarch64, x86_64)
* perl-IPC-Open3-1.24-524.1.hum1 (noarch)
* perl-Locale-Maketext-Simple-0.21-524.1.hum1 (noarch)
* perl-Math-Complex-1.63-524.1.hum1 (noarch)
* perl-Memoize-1.17-524.1.hum1 (noarch)
* perl-Module-Loaded-0.08-524.1.hum1 (noarch)
* perl-NDBM_File-1.18-524.1.hum1 (aarch64, x86_64)
* perl-NEXT-0.69-524.1.hum1 (noarch)
* perl-Net-1.04-524.1.hum1 (noarch)
* perl-ODBM_File-1.20-524.1.hum1 (aarch64, x86_64)
* perl-Opcode-1.69-524.1.hum1 (aarch64, x86_64)
* perl-POSIX-2.23-524.1.hum1 (aarch64, x86_64)
* perl-Pod-Functions-1.14-524.1.hum1 (noarch)
* perl-Pod-Html-1.35-524.1.hum1 (noarch)
* perl-Safe-2.47-524.1.hum1 (noarch)
* perl-Search-Dict-1.08-524.1.hum1 (noarch)
* perl-SelectSaver-1.02-524.1.hum1 (noarch)
* perl-SelfLoader-1.28-524.1.hum1 (noarch)
* perl-Symbol-1.09-524.1.hum1 (noarch)
* perl-Sys-Hostname-1.25-524.1.hum1 (aarch64, x86_64)
* perl-Term-Complete-1.403-524.1.hum1 (noarch)
* perl-Term-ReadLine-1.17-524.1.hum1 (noarch)
* perl-Test-1.31-524.1.hum1 (noarch)
* perl-Text-Abbrev-1.02-524.1.hum1 (noarch)
* perl-Thread-3.06-524.1.hum1 (noarch)
* perl-Thread-Semaphore-2.13-524.1.hum1 (noarch)
* perl-Tie-4.6-524.1.hum1 (noarch)
* perl-Tie-File-1.10-524.1.hum1 (noarch)
* perl-Tie-Memoize-1.1-524.1.hum1 (noarch)
* perl-Time-1.04-524.1.hum1 (noarch)
* perl-Time-Piece-1.3600-524.1.hum1 (aarch64, x86_64)
* perl-Unicode-UCD-0.81-524.1.hum1 (noarch)
* perl-User-pwent-1.05-524.1.hum1 (noarch)
* perl-autouse-1.11-524.1.hum1 (noarch)
* perl-base-2.27-524.1.hum1 (noarch)
* perl-blib-1.07-524.1.hum1 (noarch)
* perl-debugger-1.60-524.1.hum1 (noarch)
* perl-deprecate-0.04-524.1.hum1 (noarch)
* perl-devel-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-diagnostics-1.40-524.1.hum1 (noarch)
* perl-doc-5.42.2-524.1.hum1 (noarch)
* perl-encoding-warnings-0.14-524.1.hum1 (noarch)
* perl-fields-2.27-524.1.hum1 (noarch)
* perl-filetest-1.03-524.1.hum1 (noarch)
* perl-if-0.61.000-524.1.hum1 (noarch)
* perl-interpreter-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-less-0.03-524.1.hum1 (noarch)
* perl-lib-0.65-524.1.hum1 (aarch64, x86_64)
* perl-libnetcfg-5.42.2-524.1.hum1 (noarch)
* perl-libs-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-locale-1.13-524.1.hum1 (noarch)
* perl-macros-5.42.2-524.1.hum1 (noarch)
* perl-meta-notation-5.42.2-524.1.hum1 (noarch)
* perl-mro-1.29-524.1.hum1 (aarch64, x86_64)
* perl-open-1.13-524.1.hum1 (noarch)
* perl-overload-1.40-524.1.hum1 (noarch)
* perl-overloading-0.02-524.1.hum1 (noarch)
* perl-ph-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-sigtrap-1.10-524.1.hum1 (noarch)
* perl-sort-2.06-524.1.hum1 (noarch)
* perl-subs-1.04-524.1.hum1 (noarch)
* perl-tests-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-utils-5.42.2-524.1.hum1 (noarch)
* perl-vars-1.05-524.1.hum1 (noarch)
* perl-vmsish-1.04-524.1.hum1 (noarch)
* perl-5.42.2-524.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
5.4 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
8.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
7.0 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
7.0 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
8.6 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server.
8.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:perl-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:perl-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
49 references
Acknowledgments
the Perl project
Jayakrishna Menon
Eiichi Tsukata
Jakub Wilk
Hugo van der Sanden
Slaven Rezic
Sergey Aleynikov
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nperl:\n * perl-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-Attribute-Handlers-1.03-524.1.hum1 (noarch)\n * perl-AutoLoader-5.74-524.1.hum1 (noarch)\n * perl-AutoSplit-5.74-524.1.hum1 (noarch)\n * perl-B-1.89-524.1.hum1 (aarch64, x86_64)\n * perl-Benchmark-1.27-524.1.hum1 (noarch)\n * perl-Class-Struct-0.68-524.1.hum1 (noarch)\n * perl-Config-Extensions-0.03-524.1.hum1 (noarch)\n * perl-DBM_Filter-0.07-524.1.hum1 (noarch)\n * perl-Devel-Peek-1.36-524.1.hum1 (aarch64, x86_64)\n * perl-Devel-SelfStubber-1.06-524.1.hum1 (noarch)\n * perl-DirHandle-1.05-524.1.hum1 (noarch)\n * perl-Dumpvalue-2.27-524.1.hum1 (noarch)\n * perl-DynaLoader-1.57-524.1.hum1 (aarch64, x86_64)\n * perl-English-1.11-524.1.hum1 (noarch)\n * perl-Errno-1.38-524.1.hum1 (aarch64, x86_64)\n * perl-ExtUtils-Constant-0.25-524.1.hum1 (noarch)\n * perl-ExtUtils-Embed-1.35-524.1.hum1 (noarch)\n * perl-ExtUtils-Miniperl-1.14-524.1.hum1 (noarch)\n * perl-Fcntl-1.20-524.1.hum1 (aarch64, x86_64)\n * perl-File-Basename-2.86-524.1.hum1 (noarch)\n * perl-File-Compare-1.100.800-524.1.hum1 (noarch)\n * perl-File-Copy-2.41-524.1.hum1 (noarch)\n * perl-File-DosGlob-1.12-524.1.hum1 (aarch64, x86_64)\n * perl-File-Find-1.44-524.1.hum1 (noarch)\n * perl-File-stat-1.14-524.1.hum1 (noarch)\n * perl-FileCache-1.10-524.1.hum1 (noarch)\n * perl-FileHandle-2.05-524.1.hum1 (noarch)\n * perl-FindBin-1.54-524.1.hum1 (noarch)\n * perl-GDBM_File-1.24-524.1.hum1 (aarch64, x86_64)\n * perl-Getopt-Std-1.14-524.1.hum1 (noarch)\n * perl-Hash-Util-0.32-524.1.hum1 (aarch64, x86_64)\n * perl-Hash-Util-FieldHash-1.27-524.1.hum1 (aarch64, x86_64)\n * perl-I18N-Collate-1.02-524.1.hum1 (noarch)\n * perl-I18N-LangTags-0.45-524.1.hum1 (noarch)\n * perl-I18N-Langinfo-0.24-524.1.hum1 (aarch64, x86_64)\n * perl-IO-1.55-524.1.hum1 (aarch64, x86_64)\n * perl-IPC-Open3-1.24-524.1.hum1 (noarch)\n * perl-Locale-Maketext-Simple-0.21-524.1.hum1 (noarch)\n * perl-Math-Complex-1.63-524.1.hum1 (noarch)\n * perl-Memoize-1.17-524.1.hum1 (noarch)\n * perl-Module-Loaded-0.08-524.1.hum1 (noarch)\n * perl-NDBM_File-1.18-524.1.hum1 (aarch64, x86_64)\n * perl-NEXT-0.69-524.1.hum1 (noarch)\n * perl-Net-1.04-524.1.hum1 (noarch)\n * perl-ODBM_File-1.20-524.1.hum1 (aarch64, x86_64)\n * perl-Opcode-1.69-524.1.hum1 (aarch64, x86_64)\n * perl-POSIX-2.23-524.1.hum1 (aarch64, x86_64)\n * perl-Pod-Functions-1.14-524.1.hum1 (noarch)\n * perl-Pod-Html-1.35-524.1.hum1 (noarch)\n * perl-Safe-2.47-524.1.hum1 (noarch)\n * perl-Search-Dict-1.08-524.1.hum1 (noarch)\n * perl-SelectSaver-1.02-524.1.hum1 (noarch)\n * perl-SelfLoader-1.28-524.1.hum1 (noarch)\n * perl-Symbol-1.09-524.1.hum1 (noarch)\n * perl-Sys-Hostname-1.25-524.1.hum1 (aarch64, x86_64)\n * perl-Term-Complete-1.403-524.1.hum1 (noarch)\n * perl-Term-ReadLine-1.17-524.1.hum1 (noarch)\n * perl-Test-1.31-524.1.hum1 (noarch)\n * perl-Text-Abbrev-1.02-524.1.hum1 (noarch)\n * perl-Thread-3.06-524.1.hum1 (noarch)\n * perl-Thread-Semaphore-2.13-524.1.hum1 (noarch)\n * perl-Tie-4.6-524.1.hum1 (noarch)\n * perl-Tie-File-1.10-524.1.hum1 (noarch)\n * perl-Tie-Memoize-1.1-524.1.hum1 (noarch)\n * perl-Time-1.04-524.1.hum1 (noarch)\n * perl-Time-Piece-1.3600-524.1.hum1 (aarch64, x86_64)\n * perl-Unicode-UCD-0.81-524.1.hum1 (noarch)\n * perl-User-pwent-1.05-524.1.hum1 (noarch)\n * perl-autouse-1.11-524.1.hum1 (noarch)\n * perl-base-2.27-524.1.hum1 (noarch)\n * perl-blib-1.07-524.1.hum1 (noarch)\n * perl-debugger-1.60-524.1.hum1 (noarch)\n * perl-deprecate-0.04-524.1.hum1 (noarch)\n * perl-devel-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-diagnostics-1.40-524.1.hum1 (noarch)\n * perl-doc-5.42.2-524.1.hum1 (noarch)\n * perl-encoding-warnings-0.14-524.1.hum1 (noarch)\n * perl-fields-2.27-524.1.hum1 (noarch)\n * perl-filetest-1.03-524.1.hum1 (noarch)\n * perl-if-0.61.000-524.1.hum1 (noarch)\n * perl-interpreter-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-less-0.03-524.1.hum1 (noarch)\n * perl-lib-0.65-524.1.hum1 (aarch64, x86_64)\n * perl-libnetcfg-5.42.2-524.1.hum1 (noarch)\n * perl-libs-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-locale-1.13-524.1.hum1 (noarch)\n * perl-macros-5.42.2-524.1.hum1 (noarch)\n * perl-meta-notation-5.42.2-524.1.hum1 (noarch)\n * perl-mro-1.29-524.1.hum1 (aarch64, x86_64)\n * perl-open-1.13-524.1.hum1 (noarch)\n * perl-overload-1.40-524.1.hum1 (noarch)\n * perl-overloading-0.02-524.1.hum1 (noarch)\n * perl-ph-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-sigtrap-1.10-524.1.hum1 (noarch)\n * perl-sort-2.06-524.1.hum1 (noarch)\n * perl-subs-1.04-524.1.hum1 (noarch)\n * perl-tests-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-utils-5.42.2-524.1.hum1 (noarch)\n * perl-vars-1.05-524.1.hum1 (noarch)\n * perl-vmsish-1.04-524.1.hum1 (noarch)\n * perl-5.42.2-524.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7604",
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-31486",
"url": "https://access.redhat.com/security/cve/CVE-2023-31486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-31484",
"url": "https://access.redhat.com/security/cve/CVE-2023-31484"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2020-12723",
"url": "https://access.redhat.com/security/cve/CVE-2020-12723"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2020-10878",
"url": "https://access.redhat.com/security/cve/CVE-2020-10878"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18314",
"url": "https://access.redhat.com/security/cve/CVE-2018-18314"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18313",
"url": "https://access.redhat.com/security/cve/CVE-2018-18313"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18312",
"url": "https://access.redhat.com/security/cve/CVE-2018-18312"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18311",
"url": "https://access.redhat.com/security/cve/CVE-2018-18311"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-12015",
"url": "https://access.redhat.com/security/cve/CVE-2018-12015"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7604.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-21T13:31:12+00:00",
"generator": {
"date": "2026-04-21T13:31:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:7604",
"initial_release_date": "2026-04-10T22:59:35+00:00",
"revision_history": [
{
"date": "2026-04-10T22:59:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-21T02:54:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-21T13:31:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@aarch64",
"product": {
"name": "perl-main@aarch64",
"product_id": "perl-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@src",
"product": {
"name": "perl-main@src",
"product_id": "perl-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@x86_64",
"product": {
"name": "perl-main@x86_64",
"product_id": "perl-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@noarch",
"product": {
"name": "perl-main@noarch",
"product_id": "perl-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl-Attribute-Handlers@1.03-524.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@aarch64"
},
"product_reference": "perl-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@noarch"
},
"product_reference": "perl-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@src"
},
"product_reference": "perl-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@x86_64"
},
"product_reference": "perl-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-12015",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588760"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Directory traversal in Archive::Tar",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12015"
},
{
"category": "external",
"summary": "RHBZ#1588760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588760"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12015",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12015"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Directory traversal in Archive::Tar"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Jayakrishna Menon"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18311",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646730"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Integer overflow leading to buffer overflow in Perl_my_setenv()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is present in versions of perl included with Red Hat Virtualization Hypervisor and Management Appliance, however it is not exposed in any meaningful way. Perl is only included in these images as a dependency of components which do not manipulate ENV, and are not exposed to user input. A future update may address this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18311"
},
{
"category": "external",
"summary": "RHBZ#1646730",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646730"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18311",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18311"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18311",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18311"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "perl: Integer overflow leading to buffer overflow in Perl_my_setenv()"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Eiichi Tsukata"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18312",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646734"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Heap-based buffer overflow in S_handle_regex_sets()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18312"
},
{
"category": "external",
"summary": "RHBZ#1646734",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646734"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18312",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18312"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18312",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18312"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Heap-based buffer overflow in S_handle_regex_sets()"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Eiichi Tsukata"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18313",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646738"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Heap-based buffer read overflow in S_grok_bslash_N()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18313"
},
{
"category": "external",
"summary": "RHBZ#1646738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646738"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18313",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18313"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "perl: Heap-based buffer read overflow in S_grok_bslash_N()"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Jakub Wilk"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18314",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646751"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Heap-based buffer overflow in S_regatom()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18314"
},
{
"category": "external",
"summary": "RHBZ#1646751",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646751"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18314",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18314"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18314",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18314"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Heap-based buffer overflow in S_regatom()"
},
{
"acknowledgments": [
{
"names": [
"Hugo van der Sanden",
"Slaven Rezic"
]
}
],
"cve": "CVE-2020-10878",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2020-05-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1837988"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.30.3 has an integer overflow related to mishandling of a \"PL_regkind[OP(n)] == NOTHING\" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is an integer overflow triggered when an application compiles a specially crafted, untrusted regular expression pattern supplied by a user, as most applications match untrusted data against a trusted regex pattern.The flaw leads to a corruption of the intermediate language state. While this could theoretically allow an attacker to insert instructions, the resulting behavior is unpredictable, and any potential code execution is likely outside of an attacker\u0027s reliable control. Therefore, the most probable and practical impact is an application crash, resulting in a Denial of Service (DoS).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10878"
},
{
"category": "external",
"summary": "RHBZ#1837988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1837988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10878",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10878"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878"
}
],
"release_date": "2020-06-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
},
{
"category": "workaround",
"details": "To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS"
},
{
"acknowledgments": [
{
"names": [
"Sergey Aleynikov"
]
}
],
"cve": "CVE-2020-12723",
"cwe": {
"id": "CWE-624",
"name": "Executable Regular Expression Error"
},
"discovery_date": "2020-05-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838000"
}
],
"notes": [
{
"category": "description",
"text": "regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: corruption of intermediate language state of compiled regular expression due to recursive S_study_chunk() calls leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A vulnerability in the Perl regular expression compiler affects Red Hat Enterprise Linux 7 and 8. The flaw exists in the S_study_chunk() function\u0027s handling of GOSUB opcodes during regular expression compilation. When processing untrusted regular expressions, recursive calls to S_study_chunk() can corrupt the intermediate language state, allowing an attacker to inject malicious instructions into the compiled regular expression. This network-accessible vulnerability can lead to denial of service. To mitigate, applications should not allow compilation of untrusted regular expressions. Note that this issue affects regular expression compilation, not pattern matching against untrusted input.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12723"
},
{
"category": "external",
"summary": "RHBZ#1838000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12723",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12723"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723"
}
],
"release_date": "2020-06-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
},
{
"category": "workaround",
"details": "To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: corruption of intermediate language state of compiled regular expression due to recursive S_study_chunk() calls leads to DoS"
},
{
"cve": "CVE-2023-31484",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2023-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2218667"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Perl\u0027s CPAN, which doesn\u0027t check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-31484"
},
{
"category": "external",
"summary": "RHBZ#2218667",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218667"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-31484",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484"
}
],
"release_date": "2023-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS"
},
{
"cve": "CVE-2023-31486",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2023-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2228392"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=\u003e1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http-tiny: perl: insecure TLS cert default",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as a moderate severity because, it does not compromise data or credentials, it exposes users to significant security risks if HTTPS connections are not properly configured.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-31486"
},
{
"category": "external",
"summary": "RHBZ#2228392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-31486",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486"
}
],
"release_date": "2023-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http-tiny: perl: insecure TLS cert default"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…