CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47100
https://notcve.org/view.php?id=CVE-2023-47100
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. En Perl anterior a 5.38.2, S_parse_uniprop_string en regcomp.c puede escribir en espacio no asignado porque un nombre de propiedad asociado con una construcción de expresión regular \p{...} está mal manejado. La primera versión afectada es la 5.30.0. • https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6 https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-47038 – Perl: write past buffer end via illegal user-defined unicode property
https://notcve.org/view.php?id=CVE-2023-47038
A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer. Se encontró una vulnerabilidad en Perl. Este problema ocurre cuando Perl compila una expresión regular manipulada, lo que puede permitir que un atacante controle el desbordamiento de búfer de bytes en un búfer asignado en el almacenamiento dinámico. • https://access.redhat.com/errata/RHSA-2024:2228 https://access.redhat.com/errata/RHSA-2024:3128 https://access.redhat.com/security/cve/CVE-2023-47038 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746 https://bugzilla.redhat.com/show_bug.cgi?id=2249523 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48522
https://notcve.org/view.php?id=CVE-2022-48522
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation. En Perl 5.34.0, la función S_find_uninit_var en sv.c tiene un bloqueo basado en pila que puede conducir a la ejecución remota de código o a la escalada de privilegios locales. • https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345 https://security.netapp.com/advisory/ntap-20230915-0008 • CWE-787: Out-of-bounds Write •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2023-31484 – perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS
https://notcve.org/view.php?id=CVE-2023-31484
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues. • http://www.openwall.com/lists/oss-security/2023/04/29/1 http://www.openwall.com/lists/oss-security/2023/05/03/3 http://www.openwall.com/lists/oss-security/2023/05/03/5 http://www.openwall.com/lists/oss-security/2023/05/07/2 https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules https://github.com/andk/cpanpm/pull/175 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL https:& • CWE-295: Improper Certificate Validation •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31486 – http-tiny: insecure TLS cert default
https://notcve.org/view.php?id=CVE-2023-31486
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server. • http://www.openwall.com/lists/oss-security/2023/04/29/1 http://www.openwall.com/lists/oss-security/2023/05/03/3 http://www.openwall.com/lists/oss-security/2023/05/03/5 http://www.openwall.com/lists/oss-security/2023/05/07/2 https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules https://github.com/chansen/p5-http-tiny/pull/153 https://hackeriet.github.io/cpan-http-tiny-overview https://www.openwall.com/lists/oss-security/2023/0 • CWE-295: Improper Certificate Validation CWE-1188: Initialization of a Resource with an Insecure Default •