XSLoader relative path error in Perl in Perl Perl



Published: 2016-07-11
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-6185
CWE-ID CWE-141
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Perl
Universal components / Libraries / Scripting languages

Vendor Perl

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) XSLoader relative path error in Perl

EUVDB-ID: #VU114

Risk: High

CVSSv3.1: 7.7 [AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6185

CWE-ID: CWE-141 - Improper Neutralization of Parameter/Argument Delimiters

Exploit availability: No

Description

The vulnerability allows a local user to obtain elevated privileges on the target system.

The vulnerability exists due to an access control error in Perl. A local user can load arbitrary code from the current working directory by supplying specially crafted data to the XSLoader component.

Successful exploitation of this vulnerability may result in execution of arbitrary code.

Mitigation

The vendor has issued a source code fix, available at:

http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee

Vulnerable software versions

Perl: 5.22.2-1

External links

http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###