Vulnerability Details : CVE-2015-8607
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
Vulnerability category: Input validation
Products affected by CVE-2015-8607
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:perl:pathtools:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-8607
0.65%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-8607
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
7.3
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
NIST |
CWE ids for CVE-2015-8607
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-8607
-
http://lists.opensuse.org/opensuse-updates/2016-03/msg00112.html
openSUSE-SU-2016:0881-1: moderate: Security update for perl
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020
-
http://www.securitytracker.com/id/1034772
Perl PathTools Bug in File::Spec Module Lets Remote Users Bypass Taint Restrictions on the Target System - SecurityTracker
-
https://rt.perl.org/Public/Bug/Display.html?id=126862
Bug #126862 for perl5: [CVE-2015-8607] XS File::Spec::canonpath loses taintVendor Advisory
-
http://cpansearch.perl.org/src/RJBS/PathTools-3.62/Changes
-
http://www.debian.org/security/2016/dsa-3441
Debian -- Security Information -- DSA-3441-1 perl
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175494.html
[SECURITY] Fedora 23 Update: perl-PathTools-3.60-2.fc23
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176228.html
[SECURITY] Fedora 22 Update: perl-PathTools-3.47-312.fc22
-
http://www.ubuntu.com/usn/USN-2878-1
USN-2878-1: Perl vulnerability | Ubuntu security notices
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote Vulnerabilities
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017
-
https://security.gentoo.org/glsa/201701-75
Perl: Multiple vulnerabilities (GLSA 201701-75) — Gentoo security
-
http://www.securityfocus.com/bid/80504
Perl 'File::Spec' module CVE-2015-8607 Security Bypass Vulnerability
Jump to