5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.2%
File::Path module provides a convenient way to create directories of arbitrary depth and to delete an entire directory subtree from the filesystem.
A race condition occurs within concurrent environments. This condition was discovered by The cPanel Security Team in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl. This is due to the time-of-check-to-time-of-use (TOCTOU) race condition between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx.
A local attacker could exploit this condition to set arbitrary mode values on arbitrary files and hence bypass security restrictions.
There is no known workaround at this time.
All Perl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
All File-Path users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
All Perl-File-Path users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | dev-lang/perl | < 5.24.1-r2 | UNKNOWN |
Gentoo | any | all | perl-core/file-path | < 2.130.0 | UNKNOWN |
Gentoo | any | all | virtual/perl-file-path | < 2.130.0 | UNKNOWN |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.2%