CVE-2018-18313

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVSS v3 9.1 CRITICAL
CVSS v2.0 6.4 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:P

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://seclists.org/fulldisclosure/2019/Mar/49	Third Party Advisory
http://www.securitytracker.com/id/1042181	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:0001	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0010	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1646738	Issue Tracking Patch Third Party Advisory
https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62	Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://metacpan.org/changes/release/SHAY/perl-5.26.3	Third Party Advisory
https://rt.perl.org/Ticket/Display.html?id=133192	Exploit Third Party Advisory
https://seclists.org/bugtraq/2019/Mar/42	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201909-01
https://security.netapp.com/advisory/ntap-20190221-0003/	Third Party Advisory
https://support.apple.com/kb/HT209600	Third Party Advisory
https://usn.ubuntu.com/3834-1/	Third Party Advisory
https://usn.ubuntu.com/3834-2/	Third Party Advisory
https://www.debian.org/security/2018/dsa-4347	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.6:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*
	cpe:2.3:a:netapp:snapdrive:-:::::unix::

Configuration 6 (hide)

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-12-07 21:29

Updated : 2024-02-04 20:03

NVD link : CVE-2018-18313

Mitre link : CVE-2018-18313

CVE.ORG link : CVE-2018-18313

JSON object : View

Products Affected

debian

debian_linux

perl

perl

netapp

snap_creator_framework
snapdrive
e-series_santricity_os_controller
snapcenter

canonical

ubuntu_linux

redhat

enterprise_linux

apple

mac_os_x

CWE

CWE-125

Out-of-bounds Read

9.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

6.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2018-18313

9.1^/10

6.4^/10

Attach tags to `CVE-2018-18313`