PT-2018-2303 · Perl+5 · Perl+5

Published

2018-06-07

·

Updated

2020-08-24

·

CVE-2018-12015

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Perl versions through 5.26.2
Description The issue is related to the Archive::Tar module in Perl, which has a flaw in its directory-traversal protection mechanism. This flaw allows remote attackers to bypass the protection and overwrite arbitrary files using an archive file that contains a symlink and a regular file with the same name.
Recommendations For Perl versions through 5.26.2, consider disabling the Archive::Tar module until a patch is available to prevent exploitation of this issue. Restrict access to archive files that may contain symlinks to minimize the risk of arbitrary file overwrites. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-59

Related Identifiers

ALT-PU-2018-1918
ALT-PU-2019-1131
BDU:2019-00435
CESA-2019_2097
CVE-2018-12015
DSA-4226-1
OPENSUSE-SU-2018_2010-1
OPENSUSE-SU-2018_2011-1
RHSA-2019:2097
RHSA-2019_2097
RHSA-2026:7604
SUSE-SU-2018:1972-1
SUSE-SU-2018:1972-2
SUSE-SU-2018:1977-1
SUSE-SU-2018:1992-1
SUSE-SU-2018_1972-1
SUSE-SU-2018_1972-2
SUSE-SU-2018_1977-1
SUSE-SU-2018_1992-1
USN-3684-1
USN-3684-2

Affected Products

Alt Linux
Centos
Perl
Red Hat
Suse
Ubuntu