Vulnerability Details : CVE-2011-4114
The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program. NOTE: a similar vulnerability was reported for PAR, but this has been assigned a different CVE identifier.
Products affected by CVE-2011-4114
- cpe:2.3:a:roderich_schupp:par-packer_module:*:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.001:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.000:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.992_06:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.992_05:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.975:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.973:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.970:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.960:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.92:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.91:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.90:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.89:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.74:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.73:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.72:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.71:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.006:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.004:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.002:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.992_04:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.992_02:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.978:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.976:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.959:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.957:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.955:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.942:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.94:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.87:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.85:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.77:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.75:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.70:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.68:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.010:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.009:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.008:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.007:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.991:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.982:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.981:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.980:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.954:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.953:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.952:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.951:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.83:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.82:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.81:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.80:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.79:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.66:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.65:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.64:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.63:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.005:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:1.003:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.992_03:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.992_01:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.979:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.977:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.958:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.956:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.941:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.93:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.88:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.86:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.78:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.76:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.69:*:*:*:*:*:*:*
- cpe:2.3:a:roderich_schupp:par-packer_module:0.67:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-4114
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-4114
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:L/AC:M/Au:N/C:N/I:P/A:P |
3.4
|
4.9
|
NIST |
CWE ids for CVE-2011-4114
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-4114
-
https://rt.cpan.org/Public/Bug/Display.html?id=69560
Bug #69560 for PAR-Packer: PAR packed files are extracted to unsafe and predictable temporary directories
-
http://www.openwall.com/lists/oss-security/2011/11/04/4
oss-security - Re: CVE request: unsafe use of /tmp in multiple CPAN modules
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071091.html
[SECURITY] Fedora 15 Update: perl-PAR-Packer-1.008-4.fc15
-
https://bugzilla.redhat.com/show_bug.cgi?id=753955
753955 – (CVE-2011-4114, CVE-2011-5060) CVE-2011-4114 CVE-2011-5060 perl-PAR-Packer/perl-PAR: insecure temporary directory handlingPatch
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071099.html
[SECURITY] Fedora 16 Update: perl-PAR-Packer-1.010-3.fc16Patch
-
http://www.openwall.com/lists/oss-security/2011/11/04/2
oss-security - CVE request: unsafe use of /tmp in multiple CPAN modules
Jump to