CVE-2011-1487

critical

Description

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/66528

https://bugzilla.redhat.com/show_bug.cgi?id=692844

http://www.mandriva.com/security/advisories?name=MDVSA-2011:091

http://www.debian.org/security/2011/dsa-2265

http://secunia.com/advisories/44168

http://secunia.com/advisories/43921

http://perl5.git.perl.org/perl.git/commit/539689e74a3bcb04d29e4cd9396de91a81045b99

http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057971.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057891.html

Details

Source: Mitre, NVD

Published: 2011-04-11

Updated: 2017-08-17

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical