CVE-2016-1238 — HIGH (7.8) — White Hats Nepal

Q: How severe is CVE-2016-1238?

CVE-2016-1238 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-1238?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Perl Perl, Opensuse Leap, Apache Spamassassin.

Vulnerability Description

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	8.0
Fedoraproject	Fedora	23
Perl	Perl	1.0.15
Opensuse	Leap	15.0
Apache	Spamassassin	< 3.4.2

Related Weaknesses (CWE)

CWE-264

References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.htmlThird Party Advisory
http://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41Issue Tracking
http://www.debian.org/security/2016/dsa-3628Third Party Advisory
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.htmlThird Party Advisory
http://www.securityfocus.com/bid/92136Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1036440Third Party AdvisoryVDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-cThird Party Advisory
https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e
https://lists.debian.org/debian-lts-announce/2018/11/msg00016.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://rt.perl.org/Public/Bug/Display.html?id=127834Permissions Required
https://security.gentoo.org/glsa/201701-75Third Party Advisory
https://security.gentoo.org/glsa/201812-07Third Party Advisory

FAQ

What is CVE-2016-1238?

CVE-2016-1238 is a vulnerability with a CVSS score of 7.8 (HIGH). (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode...

How severe is CVE-2016-1238?

CVE-2016-1238 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-1238?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Perl Perl, Opensuse Leap, Apache Spamassassin.