CVE-2017-12883 - OpenCVE

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Perl	Perl

Configuration 1 [-]

OR	cpe:2.3:a:perl:perl::::::::
	cpe:2.3:a:perl:perl:5.26.0:::::::*

References

Link	Resource
http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch	Patch Third Party Advisory
http://www.debian.org/security/2017/dsa-3982
http://www.securityfocus.com/bid/100852	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1492093	Issue Tracking Patch Third Party Advisory VDB Entry
https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1	Patch Vendor Advisory
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1	Release Notes Vendor Advisory
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1	Release Notes Vendor Advisory
https://rt.perl.org/Public/Bug/Display.html?id=131598
https://security.netapp.com/advisory/ntap-20180426-0001/
https://www.oracle.com/security-alerts/cpujul2020.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-09-19T18:00:00

Updated: 2020-07-15T02:22:55

Reserved: 2017-08-16T00:00:00

Link: CVE-2017-12883

JSON object: View

NVD Information

Status : Modified

Published: 2017-09-19T18:29:00.197

Modified: 2020-07-15T03:15:18.483

Link: CVE-2017-12883

JSON object: View

Redhat Information

No data.

CWE

CWE-119

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-09-10T00:00:00", "descriptions": [{"lang": "en", "value": "Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T02:22:55", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-3982", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3982"}, {"name": "100852", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100852"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20180426-0001/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1492093"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://rt.perl.org/Public/Bug/Display.html?id=131598"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-12883", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3982", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3982"}, {"name": "100852", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100852"}, {"name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"name": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1", "refsource": "CONFIRM", "url": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1"}, {"name": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1", "refsource": "CONFIRM", "url": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1"}, {"name": "https://security.netapp.com/advisory/ntap-20180426-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20180426-0001/"}, {"name": "http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch", "refsource": "CONFIRM", "url": "http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1492093", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1492093"}, {"name": "https://rt.perl.org/Public/Bug/Display.html?id=131598", "refsource": "CONFIRM", "url": "https://rt.perl.org/Public/Bug/Display.html?id=131598"}, {"name": "https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1", "refsource": "CONFIRM", "url": "https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-12883", "datePublished": "2017-09-19T18:00:00", "dateReserved": "2017-08-16T00:00:00", "dateUpdated": "2020-07-15T02:22:55", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB276E2C-622C-45EB-8378-35751366049F", "versionEndIncluding": "5.24.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:perl:perl:5.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "B71CAECA-2A6A-4604-863F-3C1C055FB1CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape."}, {"lang": "es", "value": "Un Desbordamiento de b\u00fafer en la funci\u00f3n S_grok_bslash_N en el archivo regcomp.c en Perl versi\u00f3n 5 anterior a 5.24.3-RC1 y versi\u00f3n 5.26.x anterior a 5.26.1-RC1, permite a los atacantes remotos divulgar informaci\u00f3n confidencial o causar una denegaci\u00f3n de servicio (bloqueo de aplicaci\u00f3n) por medio de una expresi\u00f3n creada con un escape '\\N{U+...}' inv\u00e1lido."}], "id": "CVE-2017-12883", "lastModified": "2020-07-15T03:15:18.483", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-19T18:29:00.197", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2017/dsa-3982"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100852"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1492093"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1"}, {"source": "cve@mitre.org", "url": "https://rt.perl.org/Public/Bug/Display.html?id=131598"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20180426-0001/"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}