CVE-2016-6185

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
debianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
perlperl
5.23.0 ≤
𝑥
< 5.24.1
perlperl
5.25.0 ≤
𝑥
< 5.25.3
debiandebian_linux
8.0
oraclesolaris
11.3
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
17.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
perl
bullseye
5.32.1-4+deb11u3
fixed
bullseye (security)
5.32.1-4+deb11u4
fixed
bookworm
5.36.0-7+deb12u1
fixed
sid
5.40.0-6
fixed
trixie
5.40.0-6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
perl
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
Fixed 5.22.1-9ubuntu0.3
released
wily
ignored
trusty
Fixed 5.18.2-2ubuntu1.4
released
precise
ignored
References
http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
http://www.debian.org/security/2016/dsa-3628
http://www.openwall.com/lists/oss-security/2016/07/07/1
http://www.openwall.com/lists/oss-security/2016/07/08/5
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.securityfocus.com/bid/91685
http://www.securitytracker.com/id/1036260
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5RFDMASVZLFZYBB2GNTZXU6I76E4NA4V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITYZJXQH24X2F2LAOQEQAC5KXLYJTJ76/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRIPTDA6XINBVEJXI2NGLKVEINBREHTN/
https://rt.cpan.org/Public/Bug/Display.html?id=115808
https://security.gentoo.org/glsa/201701-75
https://usn.ubuntu.com/3625-1/
https://usn.ubuntu.com/3625-2/
http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
http://www.debian.org/security/2016/dsa-3628
http://www.openwall.com/lists/oss-security/2016/07/07/1
http://www.openwall.com/lists/oss-security/2016/07/08/5
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
http://www.securityfocus.com/bid/91685
http://www.securitytracker.com/id/1036260
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5RFDMASVZLFZYBB2GNTZXU6I76E4NA4V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITYZJXQH24X2F2LAOQEQAC5KXLYJTJ76/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRIPTDA6XINBVEJXI2NGLKVEINBREHTN/
https://rt.cpan.org/Public/Bug/Display.html?id=115808
https://security.gentoo.org/glsa/201701-75
https://usn.ubuntu.com/3625-1/
https://usn.ubuntu.com/3625-2/