Vulnerability CVE-2014-4330

Vulnerability Name:

CVE-2014-4330 (CCN-96216)

Assigned:

2014-09-25

Published:

2014-09-25

Updated:

2018-10-09

Summary:

The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)
1.7 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)
1.7 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-119

Vulnerability Consequences:

Denial of Service

References:

Source: CONFIRM
Type: UNKNOWN
http://advisories.mageia.org/MGASA-2014-0406.html

Source: MITRE
Type: CNA
CVE-2014-4330

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-11453

Source: MISC
Type: Exploit
http://packetstormsecurity.com/files/128422/Perl-5.20.1-Deep-Recursion-Stack-Overflow.html

Source: CCN
Type: CPAN Web site
Perl CPAN

Source: FULLDISC
Type: Exploit
20140925 LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow

Source: CCN
Type: oss-security Mailing List, Thu, 25 Sep 2014 10:59:49 +0200
LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow

Source: MLIST
Type: Exploit
[oss-security] 20140925 LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow

Source: SECUNIA
Type: UNKNOWN
61441

Source: SECUNIA
Type: UNKNOWN
61961

Source: CCN
Type: IBM Security Bulletin 1021717
PowerKVM affected by 1 issue for perl-Data-Dumper (CVE-2014-4330)

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2015:136

Source: MLIST
Type: UNKNOWN
[perl.perl5.porters] 20140918 fix for CVE-2014-4330 present in blead

Source: BUGTRAQ
Type: UNKNOWN
20140925 LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow

Source: BID
Type: UNKNOWN
70142

Source: CCN
Type: BID-70142
Perl CVE-2014-4330 Stack Overflow Denial of Service Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-2916-1

Source: XF
Type: UNKNOWN
perl-cve20144330-dos(96216)

Source: XF
Type: UNKNOWN
perl-cve20144330-dos(96216)

Source: CONFIRM
Type: UNKNOWN
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731

Source: CONFIRM
Type: UNKNOWN
https://metacpan.org/pod/distribution/Data-Dumper/Changes

Source: CCN
Type: Packet Storm Security [09-25-2014]
Perl 5.20.1 Deep Recursion Stack Overflow

Source: CONFIRM
Type: Exploit
https://www.lsexperts.de/advisories/lse-2014-06-10.txt

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-4330

Vulnerable Configuration:

Configuration 1:

cpe:/a:perl:perl:*:*:*:*:*:*:*:* (Version <= 5.20.1)

Configuration 2:

cpe:/a:data_dumper_project:data_dumper:*:*:*:*:*:*:*:* (Version <= 2.151)

Configuration CCN 1:

cpe:/a:ibm:powerkvm:2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20144330	V	CVE-2014-4330	2022-05-20
oval:org.opensuse.security:def:34015	P	Security update for log4j (Important)	2021-12-17
oval:org.opensuse.security:def:34611	P	Security update for bcm43xx-firmware (Important)	2021-12-13
oval:org.opensuse.security:def:55276	P	Security update for ruby2.1 (Important)	2021-12-01
oval:org.opensuse.security:def:30273	P	Security update for java-1_7_0-openjdk (Important)	2021-11-24
oval:org.opensuse.security:def:26162	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:26156	P	Security update for open-lldp (Moderate)	2021-10-26
oval:org.opensuse.security:def:34553	P	Security update for libvirt (Moderate)	2021-10-04
oval:org.opensuse.security:def:32185	P	Security update for ghostscript (Critical)	2021-09-21
oval:org.opensuse.security:def:30127	P	Security update for openssl (Low)	2021-09-20
oval:org.opensuse.security:def:26099	P	Security update for libsndfile (Critical)	2021-08-05
oval:org.opensuse.security:def:26098	P	Security update for webkit2gtk3 (Important)	2021-08-03
oval:org.opensuse.security:def:55927	P	Security update for systemd (Important)	2021-07-21
oval:org.opensuse.security:def:26086	P	Security update for libsolv (Important)	2021-06-28
oval:org.opensuse.security:def:57470	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:30216	P	Security update for ovmf (Important)	2021-06-22
oval:org.opensuse.security:def:56039	P	Security update for ovmf (Important)	2021-06-22
oval:org.opensuse.security:def:42672	P	perl-32bit-5.10.0-64.72.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36265	P	perl-32bit-5.10.0-64.72.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:33920	P	Security update for MozillaFirefox (Important)	2021-06-08
oval:org.opensuse.security:def:36537	P	perl-base-32bit-5.10.0-64.72.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:33919	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:55170	P	Security update for clamav (Important)	2021-04-14
oval:org.opensuse.security:def:56001	P	Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP2) (Important)	2021-04-12
oval:org.opensuse.security:def:34660	P	Security update for wavpack (Important)	2021-03-24
oval:org.opensuse.security:def:31743	P	Security update for python (Moderate)	2021-03-16
oval:org.opensuse.security:def:31732	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:31731	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:54759	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:55835	P	Security update for openvswitch (Important)	2021-02-03
oval:org.opensuse.security:def:26087	P	Security update for sudo (Important)	2021-01-26
oval:org.opensuse.security:def:33931	P	Security update for ImageMagick (Important)	2021-01-22
oval:org.opensuse.security:def:31357	P	Security update for MozillaFirefox (Important)	2021-01-12
oval:org.opensuse.security:def:32098	P	Security update for dovecot22 (Important)	2021-01-04
oval:org.opensuse.security:def:26428	P	Security update for redis (Moderate)	2020-12-01
oval:org.opensuse.security:def:26765	P	librsvg on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27500	P	libwebkit-1_0-2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26404	P	Security update for irssi (Moderate)	2020-12-01
oval:org.opensuse.security:def:26688	P	ecryptfs-utils-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27033	P	star on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27179	P	libdrm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27357	P	ImageMagick on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27561	P	rubygem-rack-1_4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27935	P	Security update for GraphicsMagick (Important)	2020-12-01
oval:org.opensuse.security:def:28090	P	Security update for ghostscript-library (Important)	2020-12-01
oval:org.opensuse.security:def:29995	P	Security update for libtiff	2020-12-01
oval:org.opensuse.security:def:30359	P	Security update for wget (Moderate)	2020-12-01
oval:org.opensuse.security:def:30656	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:31395	P	Security update for perl	2020-12-01
oval:org.opensuse.security:def:54619	P	libvirt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57396	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:32041	P	Security update for krb5 (Important)	2020-12-01
oval:org.opensuse.security:def:32397	P	Security update for unzip (Moderate)	2020-12-01
oval:org.opensuse.security:def:32551	P	libexiv2-4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34151	P	Security update for openssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:34724	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:25814	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:26018	P	Security update for freerdp (Important)	2020-12-01
oval:org.opensuse.security:def:26391	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:26546	P	findutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26512	P	Security update for pdns-recursor (Moderate)	2020-12-01
oval:org.opensuse.security:def:26804	P	perl-HTML-Parser on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27535	P	perl-base-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26415	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:26745	P	libexiv2-4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27082	P	apache2-mod_nss on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27817	P	Security update for libssh2	2020-12-01
oval:org.opensuse.security:def:27358	P	LibVNCServer-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27643	P	Security update for libssh2	2020-12-01
oval:org.opensuse.security:def:27988	P	Security update for MozillaFirefox, mozilla-nss, mozilla-nspr (Important)	2020-12-01
oval:org.opensuse.security:def:28134	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:29909	P	Security update for libHX13	2020-12-01
oval:org.opensuse.security:def:30513	P	Security update for freeradius	2020-12-01
oval:org.opensuse.security:def:30675	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:55442	P	Security update for libssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:32446	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:33189	P	libupsclient1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34249	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:34768	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25815	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26444	P	Security update for mumble (Moderate)	2020-12-01
oval:org.opensuse.security:def:26590	P	libmusicbrainz4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26290	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26663	P	PolicyKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26818	P	rsyslog on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26479	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26829	P	systemtap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27121	P	fastjar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27852	P	Security update for perl	2020-12-01
oval:org.opensuse.security:def:27369	P	apache2-mod_fcgid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27700	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:28037	P	Security update for cairo (Moderate)	2020-12-01
oval:org.opensuse.security:def:28772	P	Security update for libtiff	2020-12-01
oval:org.opensuse.security:def:29910	P	Security update for libapr	2020-12-01
oval:org.opensuse.security:def:30568	P	Security update for libvirt	2020-12-01
oval:org.opensuse.security:def:30719	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:54596	P	libraptor2-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54997	P	python-requests on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55727	P	Security update for poppler (Moderate)	2020-12-01
oval:org.opensuse.security:def:31817	P	Security update for atftp (Important)	2020-12-01
oval:org.opensuse.security:def:32485	P	PolicyKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33228	P	perl-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34306	P	Security update for quagga (Important)	2020-12-01
oval:org.opensuse.security:def:35406	P	Security update for openssh-openssl1 (Important)	2020-12-01
oval:org.opensuse.security:def:25826	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26493	P	Security update for phpMyAdmin (Important)	2020-12-01
oval:org.opensuse.security:def:27228	P	libxcrypt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26371	P	Security update for Chromium (Important)	2020-12-01
oval:org.opensuse.security:def:26716	P	gvim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26862	P	apache2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26403	P	Security update for ffmpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:26607	P	libvorbis on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26980	P	libxcrypt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27135	P	gmime on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27433	P	libarchive-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27784	P	Security update for kvm and libvirt	2020-12-01
oval:org.opensuse.security:def:28076	P	Security update for freetype2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28807	P	Security update for perl	2020-12-01
oval:org.opensuse.security:def:29921	P	Security update for libexif	2020-12-01
oval:org.opensuse.security:def:30617	P	Security update for vino	2020-12-01
oval:org.opensuse.security:def:54597	P	libraw9 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56120	P	Security update for libquicktime (Moderate)	2020-12-01
oval:org.opensuse.security:def:31949	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:32341	P	Security update for spice (Moderate)	2020-12-01
oval:org.opensuse.security:def:32507	P	evolution-data-server on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34395	P	Security update for unzip (Moderate)	2020-12-01
oval:org.opensuse.security:def:34699	P	Security update for xorg-x11-libxcb	2020-12-01
oval:org.opensuse.security:def:35447	P	Security update for perl	2020-12-01
oval:org.opensuse.security:def:25890	P	Security update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26240	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:26532	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27263	P	perl-32bit on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:28258	P	SUSE-SU-2014:1321-1 -- Security update for perl (low)	2014-12-29
oval:org.opensuse.security:def:80104	P	Security update for perl	2014-10-22
oval:com.ubuntu.precise:def:20144330000	V	CVE-2014-4330 on Ubuntu 12.04 LTS (precise) - low.	2014-09-30
oval:com.ubuntu.trusty:def:20144330000	V	CVE-2014-4330 on Ubuntu 14.04 LTS (trusty) - low.	2014-09-30

BACK