Vulnerability Details : CVE-2016-2381
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
Vulnerability category: Input validation
Products affected by CVE-2016-2381
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:18c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:configuration_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:configuration_manager:12.1.2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Threat overview for CVE-2016-2381
Top countries where our scanners detected CVE-2016-2381
Top open port discovered on systems with this issue
1521
IPs affected by CVE-2016-2381 31,764
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-2381!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-2381
0.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2381
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-2381
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-2381
-
http://lists.opensuse.org/opensuse-updates/2016-03/msg00112.html
openSUSE-SU-2016:0881-1: moderate: Security update for perlMailing List;Third Party Advisory
-
http://www.debian.org/security/2016/dsa-3501
Debian -- Security Information -- DSA-3501-1 perlThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Oracle Solaris Bulletin - July 2016Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017Third Party Advisory
-
http://www.gossamer-threads.com/lists/perl/porters/326387
Mailing List Archive: CVE-2016-2381: duplicate environment variablesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2916-1
USN-2916-1: Perl vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
Perl 5 - perl.git/commitdiffVendor Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
HPSBNS03635 rev.1 - HPE NonStop Servers OSS Script Languages running Perl and PHP, Multiple Local and Remote VulnerabilitiesThird Party Advisory
-
http://www.securityfocus.com/bid/83802
Perl 'perl.c' CVE-2016-2381 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017Third Party Advisory
-
https://security.gentoo.org/glsa/201701-75
Perl: Multiple vulnerabilities (GLSA 201701-75) — Gentoo securityThird Party Advisory
Jump to