| Vulnerability Name: | CVE-2008-5302 (CCN-47043) | ||||||||||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2008-11-19 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Published: | 2008-11-19 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Updated: | 2018-10-11 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Summary: | Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. Note: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions. | ||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 5.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
| ||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.0 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)
2.9 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:P/E:H/RL:OF/RC:C)
3.8 Low (REDHAT Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-362 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | File Manipulation | ||||||||||||||||||||||||||||||||||||||||||||||||
| References: | Source: CCN Type: Debian Bug report logs - #286905 perl-modules: File::Path::rmtree makes setuid Source: CONFIRM Type: Exploit http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905 Source: CONFIRM Type: Exploit http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286922#36 Source: MITRE Type: CNA CVE-2008-5302 Source: CONFIRM Type: UNKNOWN http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 Source: CONFIRM Type: UNKNOWN http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 Source: APPLE Type: UNKNOWN APPLE-SA-2010-03-29-1 Source: SUSE Type: UNKNOWN SUSE-SR:2009:004 Source: CCN Type: perldoc Web site File::Path Source: CCN Type: RHSA-2010-0458 Moderate: perl security update Source: SECUNIA Type: UNKNOWN 32980 Source: SECUNIA Type: UNKNOWN 33314 Source: SECUNIA Type: UNKNOWN 40052 Source: CCN Type: SA47305 F5 Enterprise Manager Multiple Vulnerabilities Source: CCN Type: Apple Web site About the security content of Security Update 2010-002 / Mac OS X v10.6.3 Source: CONFIRM Type: UNKNOWN http://support.apple.com/kb/HT4077 Source: CCN Type: F5 Networks Web site Release Note: Enterprise Manager version 2.3.0 Source: CONFIRM Type: UNKNOWN http://wiki.rpath.com/Advisories:rPSA-2009-0011 Source: DEBIAN Type: UNKNOWN DSA-1678 Source: DEBIAN Type: DSA-1678 perl -- design flaws Source: CCN Type: porters Mailing List, Nov 19, 2008, 7:25 AM Re: File::Path regression in 5.8.9 Source: MISC Type: Exploit http://www.gossamer-threads.com/lists/perl/porters/233695#233695 Source: MANDRIVA Type: UNKNOWN MDVSA-2010:116 Source: CCN Type: oss-security Mailing List, Fri, 28 Nov 2008 16:29:10 +0100 Re: CVE Request - cups, dovecot-managesieve, perl, wireshark Source: MLIST Type: UNKNOWN [oss-security] 20081128 Re: [oss-security] CVE Request - cups, dovecot-managesieve, perl, wireshark Source: REDHAT Type: UNKNOWN RHSA-2010:0458 Source: BUGTRAQ Type: UNKNOWN 20090120 rPSA-2009-0011-1 perl Source: CCN Type: USN-700-1 Perl vulnerabilities Source: UBUNTU Type: UNKNOWN USN-700-1 Source: CCN Type: USN-700-2 Perl regression Source: UBUNTU Type: UNKNOWN USN-700-2 Source: CCN Type: Larry Wall's Web page Perl Source: XF Type: UNKNOWN perl-filepath-symlink(47043) Source: XF Type: UNKNOWN perl-filepath-symlink(47043) Source: OVAL Type: UNKNOWN oval:org.mitre.oval:def:11076 Source: OVAL Type: UNKNOWN oval:org.mitre.oval:def:6890 Source: SUSE Type: SUSE-SR:2009:004 SUSE Security Summary Report | ||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration RedHat 1: Configuration RedHat 2: Configuration RedHat 3:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||||||||||