CVE-2016-1238

Name: CVE-2016-1238
Creator: NVD / NIST
Published: 2016-08-02T14:59:00.13+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 0.78%

Last modified Jun 17, 2026

CVE-2016-1238 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.. EPSS estimates a 0.78% chance of exploitation in the next 30 days.

Description

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.78%

51.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-264

Affected Software

Vendor	Product	Versions	Update
Debian	Debian Linux	8.0	—
Fedoraproject	Fedora	23	—
Fedoraproject	Fedora	24	—
Perl	Perl	1.0.15	—
Perl	Perl	1.0.16	—
Perl	Perl	5.000	—
Perl	Perl	5.000o	—
Perl	Perl	5.001	—
Perl	Perl	5.001n	—
Perl	Perl	5.002	—
Perl	Perl	5.002_01	—
Perl	Perl	5.003	—
Perl	Perl	5.003_01	—
Perl	Perl	5.003_02	—
Perl	Perl	5.003_03	—
Perl	Perl	5.003_04	—
Perl	Perl	5.003_05	—
Perl	Perl	5.003_07	—
Perl	Perl	5.003_08	—
Perl	Perl	5.003_09	—
Perl	Perl	5.003_10	—
Perl	Perl	5.003_11	—
Perl	Perl	5.003_12	—
Perl	Perl	5.003_13	—
Perl	Perl	5.003_14	—
Perl	Perl	5.003_15	—
Perl	Perl	5.003_16	—
Perl	Perl	5.003_17	—
Perl	Perl	5.003_18	—
Perl	Perl	5.003_19	—
Perl	Perl	5.003_20	—
Perl	Perl	5.003_21	—
Perl	Perl	5.003_22	—
Perl	Perl	5.003_23	—
Perl	Perl	5.003_24	—
Perl	Perl	5.003_25	—
Perl	Perl	5.003_26	—
Perl	Perl	5.003_27	—
Perl	Perl	5.003_28	—
Perl	Perl	5.003_90	—
Perl	Perl	5.003_91	—
Perl	Perl	5.003_92	—
Perl	Perl	5.003_93	—
Perl	Perl	5.003_94	—
Perl	Perl	5.003_95	—
Perl	Perl	5.003_96	—
Perl	Perl	5.003_97	—
Perl	Perl	5.003_97a	—
Perl	Perl	5.003_97b	—
Perl	Perl	5.003_97c	—

Showing 50 of 193 affected configurations. See NVD for the full list.

References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.htmlThird Party Advisory
http://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41abIssue Tracking
http://www.debian.org/security/2016/dsa-3628Third Party Advisory
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.htmlThird Party Advisory
http://www.securityfocus.com/bid/92136Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036440Third Party Advisory, VDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731Third Party Advisory
https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/11/msg00016.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FBQOCV3GBAN2EYZUM3CFDJ4ECA3GZOK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOFRQWJRP2NQJEYEWOMECVW3HAMD5SYN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZBNQH3DMI7HDELJAZ4TFJJANHXOEDWH/
https://rt.perl.org/Public/Bug/Display.html?id=127834Permissions Required
https://security.gentoo.org/glsa/201701-75Third Party Advisory
https://security.gentoo.org/glsa/201812-07Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.htmlThird Party Advisory
http://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41abIssue Tracking
http://www.debian.org/security/2016/dsa-3628Third Party Advisory
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.htmlThird Party Advisory
http://www.securityfocus.com/bid/92136Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036440Third Party Advisory, VDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731Third Party Advisory
https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/11/msg00016.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FBQOCV3GBAN2EYZUM3CFDJ4ECA3GZOK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOFRQWJRP2NQJEYEWOMECVW3HAMD5SYN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZBNQH3DMI7HDELJAZ4TFJJANHXOEDWH/
https://rt.perl.org/Public/Bug/Display.html?id=127834Permissions Required
https://security.gentoo.org/glsa/201701-75Third Party Advisory
https://security.gentoo.org/glsa/201812-07Third Party Advisory

Timeline

Published: Aug 2, 2016
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-1238?

How severe is CVE-2016-1238?

CVE-2016-1238 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.78% probability of exploitation in the next 30 days.

How do I fix CVE-2016-1238?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-1238?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST