CVE-2018-18313

Description

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVSS Metrics

• v3.0•CRITICAL•Score: 9.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
• v2.0•MEDIUM•Score: 6.4AV:N/AC:L/Au:N/C:P/I:N/A:P

EPSS Trends

Current EPSS score: 4.61%• Percentile: 89%

Techniques & Countermeasures

• CWE-125•Out-of-bounds Read

  The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

• apple•mac_os_x

  < 10.14.4

• canonical•ubuntu_linux

  12.04 | 14.04 | 16.04 | 18.04 | 18.10

• debian•debian_linux

  9.0

• netapp•e-series_santricity_os_controller

  ≥ 11.0, ≤ 11.40

• netapp•snap_creator_framework

  na

• netapp•snapcenter

  na

• netapp•snapdrive

  na

• perl•perl

  < 5.26.3

• redhat•enterprise_linux

  6.0 | 7.0 | 7.4 | 7.5 | 7.6

References (17)

• https://www.debian.org/security/2018/dsa-4347
• http://www.securitytracker.com/id/1042181
• https://access.redhat.com/errata/RHSA-2019:0010
• https://usn.ubuntu.com/3834-2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
• https://access.redhat.com/errata/RHSA-2019:0001
• https://usn.ubuntu.com/3834-1/
• https://seclists.org/bugtraq/2019/Mar/42
• http://seclists.org/fulldisclosure/2019/Mar/49
• https://security.gentoo.org/glsa/201909-01
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://support.apple.com/kb/HT209600
• https://security.netapp.com/advisory/ntap-20190221-0003/
• https://metacpan.org/changes/release/SHAY/perl-5.26.3
• https://bugzilla.redhat.com/show_bug.cgi?id=1646738
• https://rt.perl.org/Ticket/Display.html?id=133192
• https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62