CVE-2018-12015
UnknownEPSS 8.21%
Last modified
CVE-2018-12015 is a vulnerability of currently unknown severity. In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.. EPSS estimates a 8.21% chance of exploitation in the next 30 days.
Description
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Canonical | Ubuntu Linux | 12.04 | — |
| Canonical | Ubuntu Linux | 14.04 | — |
| Canonical | Ubuntu Linux | 16.04 | — |
| Canonical | Ubuntu Linux | 17.10 | — |
| Canonical | Ubuntu Linux | 18.04 | — |
| Debian | Debian Linux | 8.0 | — |
| Debian | Debian Linux | 9.0 | — |
| Perl | Perl | <= 5.26.2 | — |
| Archive\ | \ | <= 2.28 | Archive\ |
| Apple | Mac Os X | < 10.14.4 | — |
| Netapp | Data Ontap Edge | All versions | — |
| Netapp | Oncommand Workflow Automation | All versions | — |
| Netapp | Snap Creator Framework | All versions | — |
| Netapp | Snapdrive | All versions | — |
References
- http://seclists.org/fulldisclosure/2019/Mar/49Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/104423Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1041048Third Party Advisory, VDB Entry
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834Exploit, Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Mar/42Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20180927-0001/Patch, Third Party Advisory
- https://support.apple.com/kb/HT209600Third Party Advisory
- https://usn.ubuntu.com/3684-1/Third Party Advisory
- https://usn.ubuntu.com/3684-2/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4226Third Party Advisory
- http://seclists.org/fulldisclosure/2019/Mar/49Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/104423Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1041048Third Party Advisory, VDB Entry
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900834Exploit, Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2019/Mar/42Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20180927-0001/Patch, Third Party Advisory
- https://support.apple.com/kb/HT209600Third Party Advisory
- https://usn.ubuntu.com/3684-1/Third Party Advisory
- https://usn.ubuntu.com/3684-2/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4226Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-12015?
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
How severe is CVE-2018-12015?
Severity scoring for CVE-2018-12015 is pending analysis. The EPSS model estimates a 8.21% probability of exploitation in the next 30 days.
How do I fix CVE-2018-12015?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2018-12015?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST