CVE-2020-10878

Summary

CVE	CVE-2020-10878
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-06-05 14:15:00 UTC
Updated	2023-11-07 03:14:00 UTC
Description	Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Risk And Classification

Problem Types: CWE-190

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Snap Creator Framework	-	All	All	All
Application	Netapp	Snap Creator Framework	-	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.2.0	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.3.0	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.2.0	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.3.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Eagle Application Processor	All	All	All	All
Application	Oracle	Communications Eagle Lnp Application Processor	10.1	All	All	All
Application	Oracle	Communications Eagle Lnp Application Processor	10.2	All	All	All
Application	Oracle	Communications Eagle Lnp Application Processor	46.7	All	All	All
Application	Oracle	Communications Eagle Lnp Application Processor	46.8	All	All	All
Application	Oracle	Communications Eagle Lnp Application Processor	46.9	All	All	All
Application	Oracle	Communications Lsms	All	All	All	All
Application	Oracle	Communications Offline Mediation Controller	12.0.0.3.0	All	All	All
Application	Oracle	Communications Performance Intelligence Center	All	All	All	All
Application	Oracle	Communications Performance Intelligence Center	All	All	All	All
Application	Oracle	Communications Pricing Design Center	12.0.0.3.0	All	All	All
Application	Oracle	Configuration Manager	12.1.2.0.8	All	All	All
Application	Oracle	Enterprise Manager Base Platform	13.4.0.0	All	All	All
Application	Oracle	Sd-wan Aware	8.2	All	All	All
Application	Oracle	Sd-wan Aware	9.0	All	All	All
Application	Oracle	Sd-wan Aware	9.1	All	All	All
Application	Oracle	Tekelec Platform Distribution	All	All	All	All
Application	Perl	Perl	All	All	All	All
Application	Perl	Perl	All	All	All	All

References

Reference	Source	Link	Tags
June 2020 Perl Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
study_chunk: extract rck_elide_nothing · Perl/perl5@0a320d7 · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[SECURITY] Fedora 31 Update: perl-5.30.3-452.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
[security-announce] openSUSE-SU-2020:0850-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com	Third Party Advisory
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
perl5/perl5303delta.pod at blead · Perl/perl5 · GitHub	CONFIRM	github.com	Third Party Advisory
Perl: Multiple vulnerabilities (GLSA 202006-03) — Gentoo security	GENTOO	security.gentoo.org	Third Party Advisory
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[SECURITY] Fedora 31 Update: perl-5.30.3-452.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Comparing v5.30.2...v5.30.3 · Perl/perl5 · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
regcomp: use long jumps if there is any possibility of overflow · Perl/perl5@3295b48 · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - April 2021	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - January 2021	MISC	www.oracle.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159183 Oracle Enterprise Linux Security Update for perl (ELSA-2021-9238)
159203 Oracle Enterprise Linux Security Update for perl (ELSA-2021-1678)
20286 Oracle Database 19c OJVM Critical Patch Update - January 2021
20301 Oracle Database 18c OJVM Critical Patch Update - January 2021
20312 Oracle Database 12.2.0.1 Critical OJVM Patch Update - January 2021
20317 Oracle Database 21c Critical Patch Update - January 2023
20318 Oracle Database 19c Critical Patch Update - January 2023
20319 Oracle Database 19c Critical OJVM Patch Update - January 2023
239170 Red Hat Update for perl (RHSA-2021:0883)
239179 Red Hat Update for perl (RHSA-2021:1032)
239320 Red Hat Update for perl (RHSA-2021:1678)
239492 Red Hat Update for perl (RHSA-2021:2792)
376404 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Perl Vulnerability (K40508224)
377427 Alibaba Cloud Linux Security Update for perl (ALINUX2-SA-2021:0004)
377575 Alibaba Cloud Linux Security Update for perl (ALINUX3-SA-2021:0012)
500526 Alpine Linux Security Update for perl
504287 Alpine Linux Security Update for perl
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
730228 McAfee Web Gateway Multiple Vulnerabilities (WP-3445, WP-3483, WP-3527, WP-3528, WP-3547, WP-3584,WP-3589,WP-3611)
940057 AlmaLinux Security Update for perl (ALSA-2021:1678)
960762 Rocky Linux Security Update for perl (RLSA-2021:1678)