CVE-2018-12015 — HIGH (7.5)

Q: How severe is CVE-2018-12015?

CVE-2018-12015 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-12015?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux, Perl Perl, Archive\ \, Apple Mac Os X.

Vulnerability Description

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	8.0
Perl	Perl	<= 5.26.2
Archive\	\	<= 2.28, tar_project
Apple	Mac Os X	< 10.14.4
Netapp	Data Ontap Edge	-
Netapp	Oncommand Workflow Automation	-
Netapp	Snap Creator Framework	-
Netapp	Snapdrive	-

Related Weaknesses (CWE)

CWE-59

References

http://seclists.org/fulldisclosure/2019/Mar/49Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/104423Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041048Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:2097
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834ExploitMailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Mar/42Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20180927-0001/PatchThird Party Advisory
https://support.apple.com/kb/HT209600Third Party Advisory
https://usn.ubuntu.com/3684-1/Third Party Advisory
https://usn.ubuntu.com/3684-2/Third Party Advisory
https://www.debian.org/security/2018/dsa-4226Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
http://seclists.org/fulldisclosure/2019/Mar/49Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/104423Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041048Third Party AdvisoryVDB Entry

FAQ

What is CVE-2018-12015?

CVE-2018-12015 is a vulnerability with a CVSS score of 7.5 (HIGH). In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink an...

How severe is CVE-2018-12015?

CVE-2018-12015 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12015?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux, Perl Perl, Archive\ \, Apple Mac Os X.