#VU114 XSLoader relative path error in Perl in Perl


Published: 2016-07-11

Vulnerability identifier: #VU114

Vulnerability risk: High

CVSSv3.1: 7.7 [AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6185

CWE-ID: CWE-141

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Perl
Universal components / Libraries / Scripting languages

Vendor: Perl

Description
The vulnerability allows a local user to obtain elevated privileges on the target system.

The vulnerability exists due to an access control error in Perl. A local user can load arbitrary code from the current working directory by supplying specially crafted data to the XSLoader component.

Successful exploitation of this vulnerability may result in execution of arbitrary code.

Mitigation
The vendor has issued a source code fix, available at:

http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee

Vulnerable software versions

Perl: 5.22.2-1

External links
http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for perl
XSLoader relative path error in Perl in Perl Perl
XSLoader relative path error in Perl in Perl Perl