CVE-2012-6329
HIGH severity · CVSS 7.5 · Code injection
7.5CVSS HIGH
Summary
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)62%
AV:N/AC:L/Au:N/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 ↗
Additional information
- NVD record
- http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8Patch
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
- http://code.activestate.com/lists/perl5-porters/187746/
- http://code.activestate.com/lists/perl5-porters/187763/
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://openwall.com/lists/oss-security/2012/12/11/4
- http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod