SB2018061328 - Path traversal in perl (Alpine package)
Published: June 13, 2018
Security Bulletin ID
SB2018061328
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Path traversal (CVE-ID: CVE-2018-12015)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to an error when processing malicious input. A remote attacker can trick the victim into extracting a specially crafted tar archive containing a file and a symbolic link (symlink) with the same name, create a file outside of the current working directory, bypass a directory-traversal protection mechanism and create or overwrite files with the privileges of the target user.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=13074bff64787b9251ec396b8ac6ecd18718d2a0
- https://git.alpinelinux.org/aports/commit/?id=86b5b86c354507c36746160cfbae4b64783bfafb
- https://git.alpinelinux.org/aports/commit/?id=599da1ef36c21d244ab85a210d2a31fe48c7a329
- https://git.alpinelinux.org/aports/commit/?id=9e48350095c409ad45bca9e309dac31decf5216b
- https://git.alpinelinux.org/aports/commit/?id=ebf7fcd2b328ba5b15db2785fa1d46599fbc330f