CVE-2017-12837 : Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 befo

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.

Published 2017-09-19 18:29:00

Updated 2020-07-15 03:15:18

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Products affected by CVE-2017-12837

Perl » Perl
Versions up to, including, (<=) 5.24.2
cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
Matching versions
Perl » Perl » Version: 5.26.0
cpe:2.3:a:perl:perl:5.26.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-12837

EPSS FAQ

2.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 83 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-12837

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2017-12837

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-12837

https://www.oracle.com/security-alerts/cpujul2020.html

Oracle Critical Patch Update Advisory - July 2020

CVEs referencing this url
https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5

Perl 5 - perl.git/commitdiff
Patch;Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1492091

1492091 – (CVE-2017-12837) CVE-2017-12837 perl: Heap buffer overflow in regular expression compiler
Issue Tracking;Patch;Third Party Advisory;VDB Entry
https://security.netapp.com/advisory/ntap-20180426-0001/

October 2017 Perl Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
http://www.debian.org/security/2017/dsa-3982

Debian -- Security Information -- DSA-3982-1 perl

CVEs referencing this url
http://www.securityfocus.com/bid/100860

Perl CVE-2017-12837 Heap Buffer Overflow Vulnerability
Third Party Advisory;VDB Entry
https://rt.perl.org/Public/Bug/Display.html?id=131582

Bug #131582 for perl5: [CVE-2017-12837]Heap overflow in Perl__to_fold_latin1 when compiling case-insensitive regexp
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1

Perl 5 - perl.git/log
Release Notes;Vendor Advisory

CVEs referencing this url
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1

Perl 5 - perl.git/log
Release Notes;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-12837

Products affected by CVE-2017-12837

Exploit prediction scoring system (EPSS) score for CVE-2017-12837

CVSS scores for CVE-2017-12837

CWE ids for CVE-2017-12837

References for CVE-2017-12837