Vulnerability Details : CVE-2014-4330
The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2014-4330
- cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
- cpe:2.3:a:data_dumper_project:data_dumper:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-4330
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-4330
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:N/A:P |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2014-4330
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4330
-
http://seclists.org/oss-sec/2014/q3/692
oss-sec: LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack OverflowExploit
-
http://www.ubuntu.com/usn/USN-2916-1
USN-2916-1: Perl vulnerabilities | Ubuntu security notices
-
http://www.securityfocus.com/bid/70142
Perl CVE-2014-4330 Stack Overflow Denial of Service Vulnerability
-
http://seclists.org/fulldisclosure/2014/Sep/84
Full Disclosure: LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack OverflowExploit
-
http://advisories.mageia.org/MGASA-2014-0406.html
Mageia Advisory: MGASA-2014-0406 - Updated perl packages fix CVE-2014-4330
-
http://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg220118.html
fix for CVE-2014-4330 present in blead - nntp.perl.org
-
https://metacpan.org/pod/distribution/Data-Dumper/Changes
Changes - public release history for Data::Dumper - metacpan.org
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/96216
Perl Dumper denial of service CVE-2014-4330 Vulnerability Report
-
https://www.lsexperts.de/advisories/lse-2014-06-10.txt
StartseiteExploit
-
http://packetstormsecurity.com/files/128422/Perl-5.20.1-Deep-Recursion-Stack-Overflow.html
Perl 5.20.1 Deep Recursion Stack Overflow ≈ Packet StormExploit
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote Vulnerabilities
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:136
mandriva.com
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139441.html
[SECURITY] Fedora 20 Update: perl-Data-Dumper-2.154-1.fc20
-
http://www.securityfocus.com/archive/1/533543/100/0/threaded
SecurityFocus
Jump to