CVE-2017-12883

Опубликовано: 12 сент. 2017

Источник: redhat

CVSS3: 6.5

EPSS Низкий

Описание

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.

A heap buffer overread was found in perl's grok_bslash_N() function, which is used in the compilation of Unicode nodes in regular expressions, possibly leading to crash or dump of memory segments via the error output. An attacker, able to provide a specially crafted regular expression, could look for sensible information in the error message, or crash perl.

Отчет

Perl as shipped in Red Hat Enterprise Linux 7 and older have not been found to be vulnerable. This vulnerability was not present in perl versions older than 5.20.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 5	perl	Not affected
Red Hat Enterprise Linux 6	perl	Not affected
Red Hat Enterprise Linux 7	perl	Not affected
Red Hat Software Collections	rh-perl520-perl	Not affected
Red Hat Software Collections	rh-perl524-perl	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-125

https://bugzilla.redhat.com/show_bug.cgi?id=1492093perl: Buffer over-read in regular expression parser

EPSS

Процентиль: 89%

0.04509

Низкий

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2017-12883

CVSS3: 9.1

ubuntu

больше 8 лет назад

CVE-2017-12883

CVSS3: 9.1

nvd

больше 8 лет назад

CVE-2017-12883

CVSS3: 9.1

debian

больше 8 лет назад

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 ...

GHSA-h435-qr7v-xh34

CVSS3: 9.1

github

больше 3 лет назад

openSUSE-SU-2017:3101-1

suse-cvrf

около 8 лет назад

Security update for perl

EPSS

Процентиль: 89%

0.04509

Низкий

6.5 Medium

CVSS3