Vulnerability Details CVE-2016-1238
(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 48.1%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 7.2
References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html
- http://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab
- http://www.debian.org/security/2016/dsa-3628
- http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html
- http://www.securityfocus.com/bid/92136
- http://www.securitytracker.com/id/1036440
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FBQOCV3GBAN2EYZUM3CFDJ4ECA3GZOK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOFRQWJRP2NQJEYEWOMECVW3HAMD5SYN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZBNQH3DMI7HDELJAZ4TFJJANHXOEDWH/
- https://rt.perl.org/Public/Bug/Display.html?id=127834
- https://security.gentoo.org/glsa/201701-75
- https://security.gentoo.org/glsa/201812-07
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html
- http://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab
- http://www.debian.org/security/2016/dsa-3628
- http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html
- http://www.securityfocus.com/bid/92136
- http://www.securitytracker.com/id/1036440
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FBQOCV3GBAN2EYZUM3CFDJ4ECA3GZOK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOFRQWJRP2NQJEYEWOMECVW3HAMD5SYN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZBNQH3DMI7HDELJAZ4TFJJANHXOEDWH/
- https://rt.perl.org/Public/Bug/Display.html?id=127834
- https://security.gentoo.org/glsa/201701-75
- https://security.gentoo.org/glsa/201812-07
Products affected by CVE-2016-1238
-
cpe:2.3:a:apache:spamassassin:-
-
cpe:2.3:a:apache:spamassassin:3.0.1
-
cpe:2.3:a:apache:spamassassin:3.0.2
-
cpe:2.3:a:apache:spamassassin:3.0.3
-
cpe:2.3:a:apache:spamassassin:3.0.4
-
cpe:2.3:a:apache:spamassassin:3.0.6
-
cpe:2.3:a:apache:spamassassin:3.1.0
-
cpe:2.3:a:apache:spamassassin:3.1.1
-
cpe:2.3:a:apache:spamassassin:3.1.2
-
cpe:2.3:a:apache:spamassassin:3.1.3
-
cpe:2.3:a:apache:spamassassin:3.1.4
-
cpe:2.3:a:apache:spamassassin:3.1.5
-
cpe:2.3:a:apache:spamassassin:3.1.6
-
cpe:2.3:a:apache:spamassassin:3.1.7
-
cpe:2.3:a:apache:spamassassin:3.1.8
-
cpe:2.3:a:apache:spamassassin:3.2.0
-
cpe:2.3:a:apache:spamassassin:3.2.1
-
cpe:2.3:a:apache:spamassassin:3.2.2
-
cpe:2.3:a:apache:spamassassin:3.2.3
-
cpe:2.3:a:apache:spamassassin:3.2.4
-
cpe:2.3:a:apache:spamassassin:3.2.5
-
cpe:2.3:a:apache:spamassassin:3.3.0
-
cpe:2.3:a:apache:spamassassin:3.3.1
-
cpe:2.3:a:apache:spamassassin:3.3.2
-
cpe:2.3:a:apache:spamassassin:3.4.0
-
cpe:2.3:a:apache:spamassassin:3.4.1
-
cpe:2.3:a:perl:perl:1.0.15
-
cpe:2.3:a:perl:perl:1.0.16
-
cpe:2.3:a:perl:perl:5.000
-
cpe:2.3:a:perl:perl:5.000o
-
cpe:2.3:a:perl:perl:5.001
-
cpe:2.3:a:perl:perl:5.001n
-
cpe:2.3:a:perl:perl:5.002
-
cpe:2.3:a:perl:perl:5.002_01
-
cpe:2.3:a:perl:perl:5.003
-
cpe:2.3:a:perl:perl:5.003_01
-
cpe:2.3:a:perl:perl:5.003_02
-
cpe:2.3:a:perl:perl:5.003_03
-
cpe:2.3:a:perl:perl:5.003_04
-
cpe:2.3:a:perl:perl:5.003_05
-
cpe:2.3:a:perl:perl:5.003_07
-
cpe:2.3:a:perl:perl:5.003_08
-
cpe:2.3:a:perl:perl:5.003_09
-
cpe:2.3:a:perl:perl:5.003_10
-
cpe:2.3:a:perl:perl:5.003_11
-
cpe:2.3:a:perl:perl:5.003_12
-
cpe:2.3:a:perl:perl:5.003_13
-
cpe:2.3:a:perl:perl:5.003_14
-
cpe:2.3:a:perl:perl:5.003_15
-
cpe:2.3:a:perl:perl:5.003_16
-
cpe:2.3:a:perl:perl:5.003_17
-
cpe:2.3:a:perl:perl:5.003_18
-
cpe:2.3:a:perl:perl:5.003_19
-
cpe:2.3:a:perl:perl:5.003_20
-
cpe:2.3:a:perl:perl:5.003_21
-
cpe:2.3:a:perl:perl:5.003_22
-
cpe:2.3:a:perl:perl:5.003_23
-
cpe:2.3:a:perl:perl:5.003_24
-
cpe:2.3:a:perl:perl:5.003_25
-
cpe:2.3:a:perl:perl:5.003_26
-
cpe:2.3:a:perl:perl:5.003_27
-
cpe:2.3:a:perl:perl:5.003_28
-
cpe:2.3:a:perl:perl:5.003_90
-
cpe:2.3:a:perl:perl:5.003_91
-
cpe:2.3:a:perl:perl:5.003_92
-
cpe:2.3:a:perl:perl:5.003_93
-
cpe:2.3:a:perl:perl:5.003_94
-
cpe:2.3:a:perl:perl:5.003_95
-
cpe:2.3:a:perl:perl:5.003_96
-
cpe:2.3:a:perl:perl:5.003_97
-
cpe:2.3:a:perl:perl:5.003_97a
-
cpe:2.3:a:perl:perl:5.003_97b
-
cpe:2.3:a:perl:perl:5.003_97c
-
cpe:2.3:a:perl:perl:5.003_97d
-
cpe:2.3:a:perl:perl:5.003_97e
-
cpe:2.3:a:perl:perl:5.003_97f
-
cpe:2.3:a:perl:perl:5.003_97g
-
cpe:2.3:a:perl:perl:5.003_97h
-
cpe:2.3:a:perl:perl:5.003_97i
-
cpe:2.3:a:perl:perl:5.003_97j
-
cpe:2.3:a:perl:perl:5.003_98
-
cpe:2.3:a:perl:perl:5.003_99
-
cpe:2.3:a:perl:perl:5.003_99a
-
cpe:2.3:a:perl:perl:5.004
-
cpe:2.3:a:perl:perl:5.004_01
-
cpe:2.3:a:perl:perl:5.004_02
-
cpe:2.3:a:perl:perl:5.004_03
-
cpe:2.3:a:perl:perl:5.004_04
-
cpe:2.3:a:perl:perl:5.004_05
-
cpe:2.3:a:perl:perl:5.005
-
cpe:2.3:a:perl:perl:5.005_01
-
cpe:2.3:a:perl:perl:5.005_02
-
cpe:2.3:a:perl:perl:5.005_03
-
cpe:2.3:a:perl:perl:5.005_04
-
cpe:2.3:a:perl:perl:5.10
-
cpe:2.3:a:perl:perl:5.10.0
-
cpe:2.3:a:perl:perl:5.10.1
-
cpe:2.3:a:perl:perl:5.11.0
-
cpe:2.3:a:perl:perl:5.11.1
-
cpe:2.3:a:perl:perl:5.11.2
-
cpe:2.3:a:perl:perl:5.11.3
-
cpe:2.3:a:perl:perl:5.11.4
-
cpe:2.3:a:perl:perl:5.11.5
-
cpe:2.3:a:perl:perl:5.12.0
-
cpe:2.3:a:perl:perl:5.12.1
-
cpe:2.3:a:perl:perl:5.12.2
-
cpe:2.3:a:perl:perl:5.12.3
-
cpe:2.3:a:perl:perl:5.12.4
-
cpe:2.3:a:perl:perl:5.12.5
-
cpe:2.3:a:perl:perl:5.13.0
-
cpe:2.3:a:perl:perl:5.13.1
-
cpe:2.3:a:perl:perl:5.13.10
-
cpe:2.3:a:perl:perl:5.13.11
-
cpe:2.3:a:perl:perl:5.13.2
-
cpe:2.3:a:perl:perl:5.13.3
-
cpe:2.3:a:perl:perl:5.13.4
-
cpe:2.3:a:perl:perl:5.13.5
-
cpe:2.3:a:perl:perl:5.13.6
-
cpe:2.3:a:perl:perl:5.13.7
-
cpe:2.3:a:perl:perl:5.13.8
-
cpe:2.3:a:perl:perl:5.13.9
-
cpe:2.3:a:perl:perl:5.14.0
-
cpe:2.3:a:perl:perl:5.14.1
-
cpe:2.3:a:perl:perl:5.14.2
-
cpe:2.3:a:perl:perl:5.14.3
-
cpe:2.3:a:perl:perl:5.14.4
-
cpe:2.3:a:perl:perl:5.15.0
-
cpe:2.3:a:perl:perl:5.15.1
-
cpe:2.3:a:perl:perl:5.15.2
-
cpe:2.3:a:perl:perl:5.15.3
-
cpe:2.3:a:perl:perl:5.15.4
-
cpe:2.3:a:perl:perl:5.15.5
-
cpe:2.3:a:perl:perl:5.15.6
-
cpe:2.3:a:perl:perl:5.15.7
-
cpe:2.3:a:perl:perl:5.15.8
-
cpe:2.3:a:perl:perl:5.15.9
-
cpe:2.3:a:perl:perl:5.16.0
-
cpe:2.3:a:perl:perl:5.16.1
-
cpe:2.3:a:perl:perl:5.16.2
-
cpe:2.3:a:perl:perl:5.16.3
-
cpe:2.3:a:perl:perl:5.17.0
-
cpe:2.3:a:perl:perl:5.17.1
-
cpe:2.3:a:perl:perl:5.17.10
-
cpe:2.3:a:perl:perl:5.17.11
-
cpe:2.3:a:perl:perl:5.17.2
-
cpe:2.3:a:perl:perl:5.17.3
-
cpe:2.3:a:perl:perl:5.17.4
-
cpe:2.3:a:perl:perl:5.17.5
-
cpe:2.3:a:perl:perl:5.17.6
-
cpe:2.3:a:perl:perl:5.17.7
-
cpe:2.3:a:perl:perl:5.17.7.0
-
cpe:2.3:a:perl:perl:5.17.8
-
cpe:2.3:a:perl:perl:5.17.9
-
cpe:2.3:a:perl:perl:5.18.0
-
cpe:2.3:a:perl:perl:5.18.1
-
cpe:2.3:a:perl:perl:5.18.2
-
cpe:2.3:a:perl:perl:5.18.3
-
cpe:2.3:a:perl:perl:5.18.4
-
cpe:2.3:a:perl:perl:5.19.0
-
cpe:2.3:a:perl:perl:5.19.1
-
cpe:2.3:a:perl:perl:5.19.10
-
cpe:2.3:a:perl:perl:5.19.11
-
cpe:2.3:a:perl:perl:5.19.2
-
cpe:2.3:a:perl:perl:5.19.3
-
cpe:2.3:a:perl:perl:5.19.4
-
cpe:2.3:a:perl:perl:5.19.5
-
cpe:2.3:a:perl:perl:5.19.6
-
cpe:2.3:a:perl:perl:5.19.7
-
cpe:2.3:a:perl:perl:5.19.8
-
cpe:2.3:a:perl:perl:5.19.9
-
cpe:2.3:a:perl:perl:5.20.0
-
cpe:2.3:a:perl:perl:5.20.1
-
cpe:2.3:a:perl:perl:5.20.2
-
cpe:2.3:a:perl:perl:5.20.3
-
cpe:2.3:a:perl:perl:5.21.0
-
cpe:2.3:a:perl:perl:5.21.1
-
cpe:2.3:a:perl:perl:5.21.10
-
cpe:2.3:a:perl:perl:5.21.11
-
cpe:2.3:a:perl:perl:5.21.2
-
cpe:2.3:a:perl:perl:5.21.3
-
cpe:2.3:a:perl:perl:5.21.4
-
cpe:2.3:a:perl:perl:5.21.5
-
cpe:2.3:a:perl:perl:5.21.6
-
cpe:2.3:a:perl:perl:5.21.7
-
cpe:2.3:a:perl:perl:5.21.8
-
cpe:2.3:a:perl:perl:5.21.9
-
cpe:2.3:a:perl:perl:5.22.0
-
cpe:2.3:a:perl:perl:5.22.1
-
cpe:2.3:a:perl:perl:5.22.2
-
cpe:2.3:a:perl:perl:5.22.3
-
cpe:2.3:a:perl:perl:5.24.0
-
cpe:2.3:a:perl:perl:5.24.1
-
cpe:2.3:a:perl:perl:5.6
-
cpe:2.3:a:perl:perl:5.6.0
-
cpe:2.3:a:perl:perl:5.6.1
-
cpe:2.3:a:perl:perl:5.6.2
-
cpe:2.3:a:perl:perl:5.7.3
-
cpe:2.3:a:perl:perl:5.8
-
cpe:2.3:a:perl:perl:5.8.0
-
cpe:2.3:a:perl:perl:5.8.1
-
cpe:2.3:a:perl:perl:5.8.2
-
cpe:2.3:a:perl:perl:5.8.3
-
cpe:2.3:a:perl:perl:5.8.4
-
cpe:2.3:a:perl:perl:5.8.5
-
cpe:2.3:a:perl:perl:5.8.6
-
cpe:2.3:a:perl:perl:5.8.7
-
cpe:2.3:a:perl:perl:5.8.8
-
cpe:2.3:a:perl:perl:5.8.9
-
cpe:2.3:a:perl:perl:5.9.0
-
cpe:2.3:a:perl:perl:5.9.1
-
cpe:2.3:a:perl:perl:5.9.2
-
cpe:2.3:a:perl:perl:5.9.3
-
cpe:2.3:a:perl:perl:5.9.4
-
cpe:2.3:a:perl:perl:5.9.5
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:fedoraproject:fedora:23
-
cpe:2.3:o:fedoraproject:fedora:24
-
cpe:2.3:o:opensuse:leap:15.0