var-201806-0648
Vulnerability from variot
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. Perl Contains a path traversal vulnerability.Information may be tampered with. Perl is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files from the affected system in the context of the application. Information obtained could aid in further attacks. Perl 5.26.2 and prior versions are vulnerable. Perl is a free and powerful cross-platform programming language developed by American programmer Larry Wall. A security vulnerability exists in the Archive::Tar module in Perl 5.26.2 and earlier. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: perl-Archive-Tar security update Advisory ID: RHSA-2019:2097-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2097 Issue date: 2019-08-06 CVE Names: CVE-2018-12015 ==================================================================== 1. Summary:
An update for perl-Archive-Tar is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch
Security Fix(es):
- perl: Directory traversal in Archive::Tar (CVE-2018-12015)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: perl-Archive-Tar-1.92-3.el7.src.rpm
noarch: perl-Archive-Tar-1.92-3.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-12015 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXUl4sdzjgjWX9erEAQi6mw//djhWEf/xKLvAzFGIg6vOsD6SI4LHGRCu t5wotZBi4U38ktEQ8QKBOKqZ1/69uvs3Y4h59aCcv1WU4BqbuWuW9ZAZoNadRieR tKy5CSroeWRoExQQPLTEiCCWWPavAi6zgLLoLAXm+XzJgds0gKEN7X61VqpxDBhh wksoovuhk9oljC3GVnJg7L5Z8aGDVVRv7wp1fBrJ9g5F6Dj0oQmxuhp4i581+2uZ Xqc+5NDMw0hw0REMym1YAzqQdUkW7UUR8AocEt3+D4IHqbTlCr2e8pFEvkFy2Rnd OPZixM33aKQMLej4AoNVCNr0VREcZRK2Eh36GCdCF3N/m9DqsqJWpW1AlqJotIbY V8VEv1JYf5Na/+NhNMrpeIbsFEoIpNTO2FLVUMEOlJRqIEJsBndGNMgukV2sMqtS 1qpGSlUJ6FN8SE0h08bCAyokMAHtRtx4sVrtpdWgg8lw5sauCeefxwAkJESdxGj0 ZRleyq0oEkwxpX2PhpWNqMLTb8oNhEMJ2IgIAGkdya8flqkJq/EMRieqHfeuXwvE IKT/kfjqKRoF9GthCdtzb5/oRlCwyGbgZZyji47ToMrZIZgaz9ZBS7/L3BPqkr6S fu/W8z7j3Q2Y8/ICOfcdcI2xH98UUcr0WkRUUt0EyA9XeyZKrPzzwsOgyTZpITYA gSxbbqDK1oQ=+IUg -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-3684-2 June 13, 2018
perl vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Perl could be made to overwrite arbitrary files if it received a specially crafted archive file.
Software Description: - perl: Practical Extraction and Report Language
Details:
USN-3684-1 fixed a vulnerability in perl. This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Perl incorrectly handled certain archive files. An attacker could possibly use this to overwrite arbitrary files.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 ESM: perl 5.14.2-6ubuntu2.8
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-4226-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 12, 2018 https://www.debian.org/security/faq
Package : perl CVE ID : CVE-2018-12015 Debian Bug : 900834
Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.
For the oldstable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u11.
For the stable distribution (stretch), this problem has been fixed in version 5.24.1-3+deb9u4.
We recommend that you upgrade your perl packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra are now available and addresses the following:
AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team
Bom Available for: macOS Mojave 10.14.3 Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved handling of file metadata. CVE-2019-6239: Ian Moorhouse and Michael Trimm
CFString Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc.
configd Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36)
Contacts Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher
CoreCrypto Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher
DiskArbitration Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2019-8522: Colin Meginnis (@falc420)
FaceTime Available for: macOS Mojave 10.14.3 Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy
Feedback Assistant Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs
Feedback Assistant Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs
file Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher
Graphics Drivers Available for: macOS Mojave 10.14.3 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative
iAP Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher
IOGraphics Available for: macOS Mojave 10.14.3 Impact: A Mac may not lock when disconnecting from an external monitor Description: A lock handling issue was addressed with improved lock handling. CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT
IOHIDFamily Available for: macOS Mojave 10.14.3 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team
IOKit Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher
IOKit SCSI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)
Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8508: Dr. Silvio Cesare of InfoSect
Kernel Available for: macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google Project Zero
Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team
Kernel Available for: macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-7293: Ned Williamson of Google
Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan) CVE-2019-8510: Stefan Esser of Antid0te UG
Messages Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view sensitive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2019-8546: ChiYuan Chang
Notes Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view a user's locked notes Description: An access issue was addressed with improved memory management. CVE-2019-8537: Greg Walker (gregwalker.us)
PackageKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2019-8561: Jaron Bradley of Crowdstrike
Perl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: Multiple issues in Perl Description: Multiple issues in Perl were addressed in this update. CVE-2018-12015: Jakub Wilk CVE-2018-18311: Jayakrishna Menon CVE-2018-18313: Eiichi Tsukata
Power Management Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation. CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com)
QuartzCore Available for: macOS Mojave 10.14.3 Impact: Processing malicious data may lead to unexpected application termination Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8526: Linus Henze (pinauten.de)
Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre (NCSC)
Siri Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to initiate a Dictation request without user authorization Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation. CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest
Time Machine Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to execute arbitrary shell commands Description: This issue was addressed with improved checks. CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs
TrueTypeScaler Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative
XPC Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs
Additional recognition
Accounts We would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt for their assistance.
Books We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance.
Mail We would like to acknowledge Craig Young of Tripwire VERT and Hanno Böck for their assistance.
Time Machine We would like to acknowledge CodeColorist of Ant-Financial LightYear Labs for their assistance.
Installation note:
macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZWQgpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3E4zA/9 FvnChJHCmmH34DmCi+LGXO/fatCVVvvSHDWm1+bPjl8CeYcF+zZYACkQKxFoNpDT vyiBJnNveCQEHeBvqSyRF8dfsTf4fr0MrFS1uIQVRPf2St6fZ27vDnC6fg269r0D Eqnz0raFUa3bLUirteRMJwAqdGaVKwsNzM13qP4QEdrB14XkwZA0yQBunltFYU33 iAesKeejDLdhwkjfhmmjTlVPZmnABx2ZCfj2v7TiPxTOjfYbXcN8sY2LDHEOWNaM ucrGBMfGH/ehStXAsIArwcLGOl6SI+6JywWVcm9lG6jUHSeSk9BPF6R4JzGrEHZB sSo87+U8b63KA2GkYecwh6xvE5EchQku/fj0d2zbOlg+T2bMbyc6Al2nefsYnX5p 7BuhdZxqq3m3Gme2qRY0eye6wch1BTHhK+zctrVH2XeMaUpeanopVRI8AD+hZJ1J +9oQX8kSa7hzJYPmohA4Wi/Rp9FpKpgXYNBn1A9DgSAvf+eyfWJX0aZXmQZfn/k7 OLz3EmSKvXv0i67L9g2XYeX7GFBMqf4xWeztKLUYFafu73t1mTxZJICcYeTxebS0 zBJdkOHwP9GxsSonblDgPScQPdW85l0fangn7qqiexCVp4JsCGBc0Wuy1lc+MyzS 1YmrDRhRl4aYOf4UGgtKI6ncvM77Y30ECPV3A6vl+wk= =QV0f -----END PGP SIGNATURE-----
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201806-0648", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "ubuntu linux", "scope": "eq", "trust": 1.6, "vendor": "canonical", "version": "16.04" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "12.04" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "14.04" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "17.10" }, { "model": "snapdrive", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "oncommand workflow automation", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "8.0" }, { "model": "mac os x", "scope": "lt", "trust": 1.0, "vendor": "apple", "version": "10.14.4" }, { "model": "archive\\:\\:tar", "scope": "lte", "trust": 1.0, "vendor": "archive tar", "version": "2.28" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "18.04" }, { "model": "data ontap edge", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "perl", "scope": "lte", "trust": 1.0, "vendor": "perl", "version": "5.26.2" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "9.0" }, { "model": "snap creator framework", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "archive::tar", "scope": null, "trust": 0.8, "vendor": "archive tar", "version": null }, { "model": "ubuntu", "scope": null, "trust": 0.8, "vendor": "canonical", "version": null }, { "model": "gnu/linux", "scope": null, "trust": 0.8, "vendor": "debian", "version": null }, { "model": "perl", "scope": "lte", "trust": 0.8, "vendor": "the perl", "version": "5.26.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.14" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.6.6" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.64" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.7.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.20.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.7" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.2.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.18" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.9.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.52" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.6.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.96" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.14.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.31" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.62" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.3.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.61" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.14.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.16" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.7" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.26.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.16.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.6" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.8" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.7.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.01" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.66" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.11.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.1.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.20" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.6.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.1.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.6" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.21" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.6.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.73" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.8" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.15" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.47" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.17.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.43" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.18.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.4" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.12.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.22.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.93" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.26" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.16.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.22" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.4" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.89" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.71" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.18.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.48" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.67" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.11.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.6.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.8" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.6" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.90" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.4" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.4.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.15.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.4" }, { "model": "rc1", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.10.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.92" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.8" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.2.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.85" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.49" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.88" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.80" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.68" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.4" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.63" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.5.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.83" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.86" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.87" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.9.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.65" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.13.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.84" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.4" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.24.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.11" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.12.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.91" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.99" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.7" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.20.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.24" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.10" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.97" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.11" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.6.5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.9.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.7" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.2.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.6" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.44" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.81" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.98" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.7.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.11.4" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.94" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.16.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.70" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.9" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.17" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.10" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.10" }, { "model": "rc2", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.10.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.22" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.1.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.82" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.12" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.10.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.6" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.0.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.8.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.17.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.14.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.41" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.45" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.16" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.14" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.95" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.12.0" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.11.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.5.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.42" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.00" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.1.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.20" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.72" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "1.46" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.6.4" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.69" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.6.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.3" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "0.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.11.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.12.1" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.17.7" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.11.5" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.14.2" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.13.9" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "5.8.6" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.10.7" }, { "model": "perl", "scope": "eq", "trust": 0.3, "vendor": "perl", "version": "2.9.1" } ], "sources": [ { "db": "BID", "id": "104423" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "db": "CNNVD", "id": "CNNVD-201806-391" }, { "db": "NVD", "id": "CVE-2018-12015" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "cpe_match": [ { "cpe22Uri": "cpe:/a:archive%3a%3atar_project:archive%3a%3atar", "vulnerable": true }, { "cpe22Uri": "cpe:/o:canonical:ubuntu_linux", "vulnerable": true }, { "cpe22Uri": "cpe:/o:debian:debian_linux", "vulnerable": true }, { "cpe22Uri": "cpe:/a:perl:perl", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006155" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apple,Red Hat", "sources": [ { "db": "CNNVD", "id": "CNNVD-201806-391" } ], "trust": 0.6 }, "cve": "CVE-2018-12015", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "CVE-2018-12015", "impactScore": 4.9, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "VHN-121932", "impactScore": 4.9, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:N/C:N/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "id": "CVE-2018-12015", "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.8, "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2018-12015", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2018-12015", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-201806-391", "trust": 0.6, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-121932", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2018-12015", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-121932" }, { "db": "VULMON", "id": "CVE-2018-12015" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "db": "CNNVD", "id": "CNNVD-201806-391" }, { "db": "NVD", "id": "CVE-2018-12015" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. Perl Contains a path traversal vulnerability.Information may be tampered with. Perl is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. \nRemote attackers may use a specially crafted request with directory-traversal sequences (\u0027../\u0027) to retrieve arbitrary files from the affected system in the context of the application. Information obtained could aid in further attacks. \nPerl 5.26.2 and prior versions are vulnerable. Perl is a free and powerful cross-platform programming language developed by American programmer Larry Wall. A security vulnerability exists in the Archive::Tar module in Perl 5.26.2 and earlier. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: perl-Archive-Tar security update\nAdvisory ID: RHSA-2019:2097-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:2097\nIssue date: 2019-08-06\nCVE Names: CVE-2018-12015\n====================================================================\n1. Summary:\n\nAn update for perl-Archive-Tar is now available for Red Hat Enterprise\nLinux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode (v. 7) - noarch\nRed Hat Enterprise Linux Server (v. 7) - noarch\nRed Hat Enterprise Linux Workstation (v. 7) - noarch\n\n3. \n\nSecurity Fix(es):\n\n* perl: Directory traversal in Archive::Tar (CVE-2018-12015)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.7 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nperl-Archive-Tar-1.92-3.el7.src.rpm\n\nnoarch:\nperl-Archive-Tar-1.92-3.el7.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-12015\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXUl4sdzjgjWX9erEAQi6mw//djhWEf/xKLvAzFGIg6vOsD6SI4LHGRCu\nt5wotZBi4U38ktEQ8QKBOKqZ1/69uvs3Y4h59aCcv1WU4BqbuWuW9ZAZoNadRieR\ntKy5CSroeWRoExQQPLTEiCCWWPavAi6zgLLoLAXm+XzJgds0gKEN7X61VqpxDBhh\nwksoovuhk9oljC3GVnJg7L5Z8aGDVVRv7wp1fBrJ9g5F6Dj0oQmxuhp4i581+2uZ\nXqc+5NDMw0hw0REMym1YAzqQdUkW7UUR8AocEt3+D4IHqbTlCr2e8pFEvkFy2Rnd\nOPZixM33aKQMLej4AoNVCNr0VREcZRK2Eh36GCdCF3N/m9DqsqJWpW1AlqJotIbY\nV8VEv1JYf5Na/+NhNMrpeIbsFEoIpNTO2FLVUMEOlJRqIEJsBndGNMgukV2sMqtS\n1qpGSlUJ6FN8SE0h08bCAyokMAHtRtx4sVrtpdWgg8lw5sauCeefxwAkJESdxGj0\nZRleyq0oEkwxpX2PhpWNqMLTb8oNhEMJ2IgIAGkdya8flqkJq/EMRieqHfeuXwvE\nIKT/kfjqKRoF9GthCdtzb5/oRlCwyGbgZZyji47ToMrZIZgaz9ZBS7/L3BPqkr6S\nfu/W8z7j3Q2Y8/ICOfcdcI2xH98UUcr0WkRUUt0EyA9XeyZKrPzzwsOgyTZpITYA\ngSxbbqDK1oQ=+IUg\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. ==========================================================================\nUbuntu Security Notice USN-3684-2\nJune 13, 2018\n\nperl vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nPerl could be made to overwrite arbitrary files if it received\na specially crafted archive file. \n\nSoftware Description:\n- perl: Practical Extraction and Report Language\n\nDetails:\n\nUSN-3684-1 fixed a vulnerability in perl. This update provides\nthe corresponding update for Ubuntu 12.04 ESM. \n\nOriginal advisory details:\n\n It was discovered that Perl incorrectly handled certain archive files. \n An attacker could possibly use this to overwrite arbitrary files. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n perl 5.14.2-6ubuntu2.8\n\nIn general, a standard system update will make all the necessary\nchanges. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4226-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 12, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : perl\nCVE ID : CVE-2018-12015\nDebian Bug : 900834\n\nJakub Wilk discovered a directory traversal flaw in the Archive::Tar\nmodule, allowing an attacker to overwrite any file writable by the\nextracting user via a specially crafted tar archive. \n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 5.20.2-3+deb8u11. \n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 5.24.1-3+deb9u4. \n\nWe recommend that you upgrade your perl packages. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update\n2019-002 High Sierra, Security Update 2019-002 Sierra\n\nmacOS Mojave 10.14.4, Security Update 2019-002 High Sierra,\nSecurity Update 2019-002 Sierra are now available and\naddresses the following:\n\nAppleGraphicsControl\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to execute arbitrary code\nwith kernel privileges\nDescription: A buffer overflow was addressed with improved size\nvalidation. \nCVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and\nshrek_wzw of Qihoo 360 Nirvan Team\n\nBom\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may bypass Gatekeeper checks\nDescription: This issue was addressed with improved handling of file\nmetadata. \nCVE-2019-6239: Ian Moorhouse and Michael Trimm\n\nCFString\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted string may lead to a denial\nof service\nDescription: A validation issue was addressed with improved logic. \nCVE-2019-8516: SWIPS Team of Frifee Inc. \n\nconfigd\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8552: Mohamed Ghannam (@_simo36)\n\nContacts\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow issue was addressed with improved\nmemory handling. \nCVE-2019-8511: an anonymous researcher\n\nCoreCrypto\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8542: an anonymous researcher\n\nDiskArbitration\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: An encrypted volume may be unmounted and remounted by a\ndifferent user without prompting for the password\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2019-8522: Colin Meginnis (@falc420)\n\nFaceTime\nAvailable for: macOS Mojave 10.14.3\nImpact: A user\u0027s video may not be paused in a FaceTime call if they\nexit the FaceTime app while the call is ringing\nDescription: An issue existed in the pausing of FaceTime video. The\nissue was resolved with improved logic. \nCVE-2019-8550: Lauren Guzniczak of Keystone Academy\n\nFeedback Assistant\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to gain root privileges\nDescription: A race condition was addressed with additional\nvalidation. \nCVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs\n\nFeedback Assistant\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to overwrite arbitrary\nfiles\nDescription: This issue was addressed with improved checks. \nCVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs\n\nfile\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted file might disclose user\ninformation\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-6237: an anonymous researcher\n\nGraphics Drivers\nAvailable for: macOS Mojave 10.14.3\nImpact: An application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin\n(@panicaII) and Junzhi Lu of Trend Micro Research working with Trend\nMicro\u0027s Zero Day Initiative\n\niAP\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8542: an anonymous researcher\n\nIOGraphics\nAvailable for: macOS Mojave 10.14.3\nImpact: A Mac may not lock when disconnecting from an external\nmonitor\nDescription: A lock handling issue was addressed with improved lock\nhandling. \nCVE-2019-8533: an anonymous researcher, James Eagan of T\u00e9l\u00e9com\nParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT\n\nIOHIDFamily\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to cause unexpected system\ntermination or read kernel memory\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team\n\nIOKit\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\nImpact: A local user may be able to read kernel memory\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8504: an anonymous researcher\n\nIOKit SCSI\nAvailable for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nCVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A remote attacker may be able to cause unexpected system\ntermination or corrupt kernel memory\nDescription: A buffer overflow was addressed with improved size\nvalidation. \nCVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6)\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: Mounting a maliciously crafted NFS network share may lead to\narbitrary code execution with system privileges\nDescription: A buffer overflow was addressed with improved bounds\nchecking. \nCVE-2019-8508: Dr. Silvio Cesare of InfoSect\n\nKernel\nAvailable for: macOS Mojave 10.14.3\nImpact: An application may be able to gain elevated privileges\nDescription: A logic issue was addressed with improved state\nmanagement. \nCVE-2019-8514: Samuel Gro\u00df of Google Project Zero\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: A memory initialization issue was addressed with\nimproved memory handling. \nCVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team\n\nKernel\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to read kernel memory\nDescription: A memory corruption issue was addressed with improved\nmemory handling. \nCVE-2019-7293: Ned Williamson of Google\n\nKernel\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An out-of-bounds read issue existed that led to the\ndisclosure of kernel memory. This was addressed with improved input\nvalidation. \nCVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan)\nCVE-2019-8510: Stefan Esser of Antid0te UG\n\nMessages\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to view sensitive user information\nDescription: An access issue was addressed with additional sandbox\nrestrictions. \nCVE-2019-8546: ChiYuan Chang\n\nNotes\nAvailable for: macOS Mojave 10.14.3\nImpact: A local user may be able to view a user\u0027s locked notes\nDescription: An access issue was addressed with improved memory\nmanagement. \nCVE-2019-8537: Greg Walker (gregwalker.us)\n\nPackageKit\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to elevate privileges\nDescription: A logic issue was addressed with improved validation. \nCVE-2019-8561: Jaron Bradley of Crowdstrike\n\nPerl\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: Multiple issues in Perl\nDescription: Multiple issues in Perl were addressed in this update. \nCVE-2018-12015: Jakub Wilk\nCVE-2018-18311: Jayakrishna Menon\nCVE-2018-18313: Eiichi Tsukata\n\nPower Management\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to execute arbitrary code\nwith system privileges\nDescription: Multiple input validation issues existed in MIG\ngenerated code. These issues were addressed with improved validation. \nCVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure\n(ssd-disclosure.com)\n\nQuartzCore\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing malicious data may lead to unexpected application\ntermination\nDescription: Multiple memory corruption issues were addressed with\nimproved input validation. \nCVE-2019-8507: Kai Lu or Fortinet\u0027s FortiGuard Labs\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: An application may be able to gain elevated privileges\nDescription: A use after free issue was addressed with improved\nmemory management. \nCVE-2019-8526: Linus Henze (pinauten.de)\n\nSecurity\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A malicious application may be able to read restricted memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8520: Antonio Groza, The UK\u0027s National Cyber Security Centre\n(NCSC)\n\nSiri\nAvailable for: macOS Mojave 10.14.3\nImpact: A malicious application may be able to initiate a Dictation\nrequest without user authorization\nDescription: An API issue existed in the handling of dictation\nrequests. This issue was addressed with improved validation. \nCVE-2019-8502: Luke Deshotels of North Carolina State University,\nJordan Beichler of North Carolina State University, William Enck of\nNorth Carolina State University, Costin Caraba\u0219 of University\nPOLITEHNICA of Bucharest, and R\u0103zvan Deaconescu of University\nPOLITEHNICA of Bucharest\n\nTime Machine\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS\nMojave 10.14.3\nImpact: A local user may be able to execute arbitrary shell commands\nDescription: This issue was addressed with improved checks. \nCVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs\n\nTrueTypeScaler\nAvailable for: macOS Mojave 10.14.3\nImpact: Processing a maliciously crafted font may result in the\ndisclosure of process memory\nDescription: An out-of-bounds read was addressed with improved bounds\nchecking. \nCVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero\nDay Initiative\n\nXPC\nAvailable for: macOS Sierra 10.12.6, macOS Mojave 10.14.3\nImpact: A malicious application may be able to overwrite arbitrary\nfiles\nDescription: This issue was addressed with improved checks. \nCVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs\n\nAdditional recognition\n\nAccounts\nWe would like to acknowledge Milan Stute of Secure Mobile Networking\nLab at Technische Universit\u00e4t Darmstadt for their assistance. \n\nBooks\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) for\ntheir assistance. \n\nKernel\nWe would like to acknowledge Brandon Azad of Google Project Zero for\ntheir assistance. \n\nMail\nWe would like to acknowledge Craig Young of Tripwire VERT and Hanno\nB\u00f6ck for their assistance. \n\nTime Machine\nWe would like to acknowledge CodeColorist of Ant-Financial LightYear\nLabs for their assistance. \n\nInstallation note:\n\nmacOS Mojave 10.14.4, Security Update 2019-002 High Sierra,\nSecurity Update 2019-002 Sierra may be obtained from the\nMac App Store or Apple\u0027s Software Downloads web site:\nhttps://support.apple.com/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZWQgpHHByb2R1Y3Qt\nc2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3E4zA/9\nFvnChJHCmmH34DmCi+LGXO/fatCVVvvSHDWm1+bPjl8CeYcF+zZYACkQKxFoNpDT\nvyiBJnNveCQEHeBvqSyRF8dfsTf4fr0MrFS1uIQVRPf2St6fZ27vDnC6fg269r0D\nEqnz0raFUa3bLUirteRMJwAqdGaVKwsNzM13qP4QEdrB14XkwZA0yQBunltFYU33\niAesKeejDLdhwkjfhmmjTlVPZmnABx2ZCfj2v7TiPxTOjfYbXcN8sY2LDHEOWNaM\nucrGBMfGH/ehStXAsIArwcLGOl6SI+6JywWVcm9lG6jUHSeSk9BPF6R4JzGrEHZB\nsSo87+U8b63KA2GkYecwh6xvE5EchQku/fj0d2zbOlg+T2bMbyc6Al2nefsYnX5p\n7BuhdZxqq3m3Gme2qRY0eye6wch1BTHhK+zctrVH2XeMaUpeanopVRI8AD+hZJ1J\n+9oQX8kSa7hzJYPmohA4Wi/Rp9FpKpgXYNBn1A9DgSAvf+eyfWJX0aZXmQZfn/k7\nOLz3EmSKvXv0i67L9g2XYeX7GFBMqf4xWeztKLUYFafu73t1mTxZJICcYeTxebS0\nzBJdkOHwP9GxsSonblDgPScQPdW85l0fangn7qqiexCVp4JsCGBc0Wuy1lc+MyzS\n1YmrDRhRl4aYOf4UGgtKI6ncvM77Y30ECPV3A6vl+wk=\n=QV0f\n-----END PGP SIGNATURE-----\n", "sources": [ { "db": "NVD", "id": "CVE-2018-12015" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "db": "BID", "id": "104423" }, { "db": "VULHUB", "id": "VHN-121932" }, { "db": "VULMON", "id": "CVE-2018-12015" }, { "db": "PACKETSTORM", "id": "153939" }, { "db": "PACKETSTORM", "id": "148182" }, { "db": "PACKETSTORM", "id": "148186" }, { "db": "PACKETSTORM", "id": "148159" }, { "db": "PACKETSTORM", "id": "152222" } ], "trust": 2.52 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2018-12015", "trust": 3.4 }, { "db": "BID", "id": "104423", "trust": 2.1 }, { "db": "SECTRACK", "id": "1041048", "trust": 1.8 }, { "db": "PACKETSTORM", "id": "153939", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "152222", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2018-006155", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-201806-391", "trust": 0.7 }, { "db": "AUSCERT", "id": "ESB-2019.2986", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.0990", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "148186", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "148159", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "148182", "trust": 0.2 }, { "db": "VULHUB", "id": "VHN-121932", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2018-12015", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-121932" }, { "db": "VULMON", "id": "CVE-2018-12015" }, { "db": "BID", "id": "104423" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "db": "PACKETSTORM", "id": "153939" }, { "db": "PACKETSTORM", "id": "148182" }, { "db": "PACKETSTORM", "id": "148186" }, { "db": "PACKETSTORM", "id": "148159" }, { "db": "PACKETSTORM", "id": "152222" }, { "db": "CNNVD", "id": "CNNVD-201806-391" }, { "db": "NVD", "id": "CVE-2018-12015" } ] }, "id": "VAR-201806-0648", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-121932" } ], "trust": 0.01 }, "last_update_date": "2024-11-23T21:11:43.028000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "900834", "trust": 0.8, "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834" }, { "title": "DSA-4226", "trust": 0.8, "url": "https://www.debian.org/security/2018/dsa-4226" }, { "title": "Top Page", "trust": 0.8, "url": "https://www.perl.org/" }, { "title": "USN-3684-1", "trust": 0.8, "url": "https://usn.ubuntu.com/3684-1/" }, { "title": "USN-3684-2", "trust": 0.8, "url": "https://usn.ubuntu.com/3684-2/" }, { "title": "Red Hat: Moderate: perl-Archive-Tar security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20192097 - Security Advisory" }, { "title": "Debian CVElist Bug Report Logs: perl: CVE-2018-12015: Archive::Tar: directory traversal", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=ae01e1751a4de5ce20f0a869eb70bbc1" }, { "title": "Ubuntu Security Notice: perl vulnerability", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3684-2" }, { "title": "Ubuntu Security Notice: perl vulnerability", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3684-1" }, { "title": "Debian Security Advisories: DSA-4226-1 perl -- security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=162819cebf8a5021e191f0a64ae86db8" }, { "title": "Amazon Linux AMI: ALAS-2019-1287", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2019-1287" }, { "title": "Red Hat: CVE-2018-12015", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2018-12015" }, { "title": "Amazon Linux 2: ALAS2-2019-1330", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2019-1330" }, { "title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2019", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=aea3fcafd82c179d3a5dfa015e920864" }, { "title": "traversal-archives", "trust": 0.1, "url": "https://github.com/jwilk/traversal-archives " }, { "title": "iot-cves", "trust": 0.1, "url": "https://github.com/InesMartins31/iot-cves " }, { "title": "Exp101tsArchiv30thers", "trust": 0.1, "url": "https://github.com/nu11secur1ty/Exp101tsArchiv30thers " }, { "title": "awesome-cve-poc_qazbnm456", "trust": 0.1, "url": "https://github.com/xbl3/awesome-cve-poc_qazbnm456 " } ], "sources": [ { "db": "VULMON", "id": "CVE-2018-12015" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-59", "trust": 1.1 }, { "problemtype": "CWE-22", "trust": 0.9 } ], "sources": [ { "db": "VULHUB", "id": "VHN-121932" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "db": "NVD", "id": "CVE-2018-12015" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.6, "url": "https://access.redhat.com/errata/rhsa-2019:2097" }, { "trust": 2.5, "url": "http://www.securityfocus.com/bid/104423" }, { "trust": 2.1, "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834" }, { "trust": 1.9, "url": "https://usn.ubuntu.com/3684-2/" }, { "trust": 1.8, "url": "https://seclists.org/bugtraq/2019/mar/42" }, { "trust": 1.8, "url": "https://security.netapp.com/advisory/ntap-20180927-0001/" }, { "trust": 1.8, "url": "https://support.apple.com/kb/ht209600" }, { "trust": 1.8, "url": "https://www.debian.org/security/2018/dsa-4226" }, { "trust": 1.8, "url": "http://seclists.org/fulldisclosure/2019/mar/49" }, { "trust": 1.8, "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "trust": 1.8, "url": "http://www.securitytracker.com/id/1041048" }, { "trust": 1.8, "url": "https://usn.ubuntu.com/3684-1/" }, { "trust": 1.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-12015" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12015" }, { "trust": 0.6, "url": "https://support.apple.com/en-au/ht209600" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.2986/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/77806" }, { "trust": 0.6, "url": "https://support.apple.com/en-us/ht209600" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/152222/apple-security-advisory-2019-3-25-2.html" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/153939/red-hat-security-advisory-2019-2097-01.html" }, { "trust": 0.6, "url": "http://www.ibm.com/support/docview.wss?uid=ibm10870798" }, { "trust": 0.4, "url": "https://access.redhat.com/security/cve/cve-2018-12015" }, { "trust": 0.3, "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588760" }, { "trust": 0.3, "url": "www.perl.org" }, { "trust": 0.2, "url": "https://usn.ubuntu.com/usn/usn-3684-1" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/59.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://tools.cisco.com/security/center/viewalert.x?alertid=58456" }, { "trust": 0.1, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.1, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.1, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.1, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.1, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.1, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/perl/5.26.1-6ubuntu0.1" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/perl/5.22.1-9ubuntu0.5" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/perl/5.26.0-8ubuntu1.2" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/perl/5.18.2-2ubuntu1.6" }, { "trust": 0.1, "url": "https://usn.ubuntu.com/usn/usn-3684-2" }, { "trust": 0.1, "url": "https://security-tracker.debian.org/tracker/perl" }, { "trust": 0.1, "url": "https://www.debian.org/security/" }, { "trust": 0.1, "url": "https://www.debian.org/security/faq" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8514" }, { "trust": 0.1, "url": "https://support.apple.com/kb/ht201222" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8511" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8519" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8502" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8516" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6239" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8522" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-18313" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6237" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8540" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8526" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8527" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8533" }, { "trust": 0.1, "url": "https://support.apple.com/downloads/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8520" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8517" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8521" }, { "trust": 0.1, "url": "https://www.apple.com/support/security/pgp/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6207" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8504" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-7293" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8510" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8508" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8530" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8513" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8529" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8537" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8507" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-18311" } ], "sources": [ { "db": "VULHUB", "id": "VHN-121932" }, { "db": "VULMON", "id": "CVE-2018-12015" }, { "db": "BID", "id": "104423" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "db": "PACKETSTORM", "id": "153939" }, { "db": "PACKETSTORM", "id": "148182" }, { "db": "PACKETSTORM", "id": "148186" }, { "db": "PACKETSTORM", "id": "148159" }, { "db": "PACKETSTORM", "id": "152222" }, { "db": "CNNVD", "id": "CNNVD-201806-391" }, { "db": "NVD", "id": "CVE-2018-12015" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-121932" }, { "db": "VULMON", "id": "CVE-2018-12015" }, { "db": "BID", "id": "104423" }, { "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "db": "PACKETSTORM", "id": "153939" }, { "db": "PACKETSTORM", "id": "148182" }, { "db": "PACKETSTORM", "id": "148186" }, { "db": "PACKETSTORM", "id": "148159" }, { "db": "PACKETSTORM", "id": "152222" }, { "db": "CNNVD", "id": "CNNVD-201806-391" }, { "db": "NVD", "id": "CVE-2018-12015" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2018-06-07T00:00:00", "db": "VULHUB", "id": "VHN-121932" }, { "date": "2018-06-07T00:00:00", "db": "VULMON", "id": "CVE-2018-12015" }, { "date": "2018-06-07T00:00:00", "db": "BID", "id": "104423" }, { "date": "2018-08-09T00:00:00", "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "date": "2019-08-06T21:11:21", "db": "PACKETSTORM", "id": "153939" }, { "date": "2018-06-13T15:23:00", "db": "PACKETSTORM", "id": "148182" }, { "date": "2018-06-13T14:42:00", "db": "PACKETSTORM", "id": "148186" }, { "date": "2018-06-12T16:08:35", "db": "PACKETSTORM", "id": "148159" }, { "date": "2019-03-26T14:40:53", "db": "PACKETSTORM", "id": "152222" }, { "date": "2018-06-08T00:00:00", "db": "CNNVD", "id": "CNNVD-201806-391" }, { "date": "2018-06-07T13:29:00.240000", "db": "NVD", "id": "CVE-2018-12015" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-08-24T00:00:00", "db": "VULHUB", "id": "VHN-121932" }, { "date": "2020-08-24T00:00:00", "db": "VULMON", "id": "CVE-2018-12015" }, { "date": "2018-06-07T00:00:00", "db": "BID", "id": "104423" }, { "date": "2018-08-09T00:00:00", "db": "JVNDB", "id": "JVNDB-2018-006155" }, { "date": "2021-10-29T00:00:00", "db": "CNNVD", "id": "CNNVD-201806-391" }, { "date": "2024-11-21T03:44:24.850000", "db": "NVD", "id": "CVE-2018-12015" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-201806-391" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Perl Path traversal vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006155" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "post link", "sources": [ { "db": "CNNVD", "id": "CNNVD-201806-391" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.