Vulnerability Details : CVE-2020-12723
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
Vulnerability category: Overflow
Products affected by CVE-2020-12723
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
- Oracle » Communications Eagle Application ProcessorVersions from including (>=) 16.1.0 and up to, including, (<=) 16.4.0cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:*
- Oracle » Communications Diameter Signaling RouterVersions from including (>=) 8.0.0 and up to, including, (<=) 8.5.0cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_eagle_lnp_application_processor:10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:configuration_manager:12.1.2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_lsms:*:*:*:*:*:*:*:*
- Oracle » Communications Performance Intelligence CenterVersions from including (>=) 10.4.0.1.0 and up to, including, (<=) 10.4.0.3.1cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*
- Oracle » Communications Performance Intelligence CenterVersions from including (>=) 10.3.0.0.0 and up to, including, (<=) 10.3.0.2.1cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
- Oracle » Tekelec Platform DistributionVersions from including (>=) 7.4.0 and up to, including, (<=) 7.7.1cpe:2.3:a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:*
- cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-12723
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-12723
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-12723
-
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-12723
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
perl5/perl5303delta.pod at blead · Perl/perl5 · GitHubThird Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
[SECURITY] Fedora 31 Update: perl-5.30.3-452.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
[security-announce] openSUSE-SU-2020:0850-1: important: Security updateMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://github.com/Perl/perl5/issues/17743
study_chunk recursion · Issue #17743 · Perl/perl5 · GitHubThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
Comparing v5.30.2...v5.30.3 · Perl/perl5 · GitHubPatch;Third Party Advisory
-
https://github.com/Perl/perl5/issues/16947
Segfault in S_study_chunk (regcomp.c:4870) · Issue #16947 · Perl/perl5 · GitHubThird Party Advisory
-
https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
study_chunk: avoid mutating regexp program within GOSUB · Perl/perl5@66bbb51 · GitHubPatch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200611-0001/
June 2020 Perl Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://security.gentoo.org/glsa/202006-03
Perl: Multiple vulnerabilities (GLSA 202006-03) — Gentoo securityThird Party Advisory
Jump to