CVE-2020-10878

high-risk

Published 2020-06-05

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.6/10 High

NETWORK / LOW complexity

Affected Products (20)

Perl

Fedora

Leap

Oncommand Workflow Automation

Snap Creator Framework

Communications Billing And Revenue Management

Communications Diameter Signaling Router

Communications Eagle Application Processor

Communications Eagle Lnp Application Processor

Communications Lsms

Communications Offline Mediation Controller

Communications Performance Intelligence Center

Communications Pricing Design Center

Configuration Manager

Enterprise Manager Base Platform

Affected Vendors

Oracle Perl Fedoraproject Netapp Opensuse

References (30)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html

Third Party Advisory https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod

Patch https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3

Patch https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8

Patch https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202006-03

Third Party Advisory https://security.netapp.com/advisory/ntap-20200611-0001/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Patch https://www.oracle.com/security-alerts/cpuApr2021.html

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2021.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2020.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html

Third Party Advisory https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod

Patch https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3

Patch https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8

Patch https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c

and 10 more references

/ 100

high-risk

Severity 29/34 · Critical

Exploitability 0/34 · Minimal

Exposure 21/34 · High