#VU107411 Heap-based buffer overflow in Perl - CVE-2024-56406
Vulnerability identifier: #VU107411
Vulnerability risk: High
CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID:
CWE-ID:
CWE-122
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Perl
Universal components / Libraries /
Scripting languages
Vendor: Perl
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the S_do_trans_invmap() function. A remote attacker can pass specially crafted input to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Perl: 5.31.6 - 5.31.11, 5.33.0 - 5.33.9, 5.34.0 - 5.34.3, 5.35.0 - 5.35.11, 5.36.0 - 5.36.3, 5.37.0 - 5.37.11, 5.38.0 - 5.38.3, 5.39.0 - 5.39.10, 5.40.0 - 5.41.10
External links
https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
https://metacpan.org/release/SHAY/perl-5.38.4/changes
https://metacpan.org/release/SHAY/perl-5.40.2/changes
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
