Perl
Products by Perl Sorted by Most Security Vulnerabilities since 2018
Known Exploited Perl Vulnerabilities
The following Perl vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| ExifTool Remote Code Execution Vulnerability | Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image CVE-2021-22204 | November 17, 2021 |
By the Year
In 2024 there have been 0 vulnerabilities in Perl . Last year Perl had 4 security vulnerabilities published. Right now, Perl is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 4 | 8.95 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 7.80 |
| 2020 | 8 | 6.63 |
| 2019 | 0 | 0.00 |
| 2018 | 8 | 9.14 |
It may take a day or so for new Perl vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Perl Security Vulnerabilities
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{
CVE-2023-47100
9.8 - Critical
- December 02, 2023
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
Improper Handling of Exceptional Conditions
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash
CVE-2022-48522
9.8 - Critical
- August 22, 2023
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
Memory Corruption
HTTP::Tiny before 0.083
CVE-2023-31486
8.1 - High
- April 29, 2023
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
Improper Certificate Validation
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
CVE-2023-31484
8.1 - High
- April 29, 2023
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
Improper Certificate Validation
CPAN 2.28 allows Signature Verification Bypass.
CVE-2020-16156
7.8 - High
- December 13, 2021
CPAN 2.28 allows Signature Verification Bypass.
Improper Verification of Cryptographic Signature
An issue was discovered in the DBI module before 1.643 for Perl
CVE-2019-20919
4.7 - Medium
- September 17, 2020
An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.
NULL Pointer Dereference
An issue was discovered in the DBI module through 1.643 for Perl
CVE-2014-10402
6.1 - Medium
- September 16, 2020
An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.
Incorrect Permission Assignment for Critical Resource
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs
CVE-2020-14393
7.1 - High
- September 16, 2020
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.
Memory Corruption
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643
CVE-2020-14392
5.5 - Medium
- September 16, 2020
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.
Buffer Overflow
An issue was discovered in the DBI module before 1.632 for Perl
CVE-2013-7490
5.3 - Medium
- September 11, 2020
An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.
Buffer Overflow
regcomp.c in Perl before 5.30.3
CVE-2020-12723
7.5 - High
- June 05, 2020
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
Classic Buffer Overflow
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation
CVE-2020-10878
8.6 - High
- June 05, 2020
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
Integer Overflow or Wraparound
Perl before 5.30.3 on 32-bit platforms
CVE-2020-10543
8.2 - High
- June 05, 2020
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
Memory Corruption
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression
CVE-2018-18311
9.8 - Critical
- December 07, 2018
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Memory Corruption
Perl before 5.26.3 has a buffer over-read via a crafted regular expression
CVE-2018-18313
9.1 - Critical
- December 07, 2018
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
Out-of-bounds Read
Perl before 5.26.3 has a buffer overflow via a crafted regular expression
CVE-2018-18314
9.8 - Critical
- December 07, 2018
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Buffer Overflow
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression
CVE-2018-18312
9.8 - Critical
- December 05, 2018
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Buffer Overflow
In Perl through 5.26.2, the Archive::Tar module
CVE-2018-12015
7.5 - High
- June 07, 2018
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
insecure temporary file
An issue was discovered in Perl 5.18 through 5.26
CVE-2018-6797
9.8 - Critical
- April 17, 2018
An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.
Memory Corruption
Heap-based buffer overflow in the pack function in Perl before 5.26.2
CVE-2018-6913
9.8 - Critical
- April 17, 2018
Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
Memory Corruption
An issue was discovered in Perl 5.22 through 5.26
CVE-2018-6798
7.5 - High
- April 17, 2018
An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.
Out-of-bounds Read
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
CVE-2017-12883
9.1 - Critical
- September 19, 2017
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape.
Buffer Overflow
Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1
CVE-2017-12837
7.5 - High
- September 19, 2017
Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier.
Buffer Overflow
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22
CVE-2015-8608
9.8 - Critical
- February 07, 2017
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.
Out-of-bounds Read
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might
CVE-2016-6185
7.8 - High
- August 02, 2016
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
(1) cpan/Archive-Tar/bin/ptar
CVE-2016-1238
7.8 - High
- August 02, 2016
(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
Permissions, Privileges, and Access Controls
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process
CVE-2016-2381
7.5 - High
- April 08, 2016
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
Improper Input Validation
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might
CVE-2015-8607
7.3 - High
- January 13, 2016
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
Improper Input Validation
Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might
CVE-2011-2939
- January 13, 2012
Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.
Numeric Errors
Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which
CVE-1999-1386
5.5 - Medium
- December 31, 1999
Perl 5.004_04 and earlier follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/perl-eaXXXXX file.
insecure temporary file