4.3
CVSSv2

CVE-2017-6512

Published: 01/06/2017 Updated: 29/04/2020
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

Race condition in the rmtree and remove_tree functions in the File-Path module prior to 2.13 for Perl allows malicious users to set the mode on arbitrary files via vectors involving directory-permission loosening logic.

Vulnerability Trend

Affected Products

Vendor Product Versions
File::path ProjectFile::path-, 1.99 01, 1.99 02, 2.00 05, 2.00 06, 2.00 07, 2.00 08, 2.00 09, 2.00 10, 2.00 11, 2.01, 2.02, 2.03, 2.04, 2.05, 2.06, 2.06 01, 2.06 02, 2.06 03, 2.06 04, 2.06 05, 2.06 06, 2.06 07, 2.06 08, 2.07, 2.07 03, 2.08, 2.09, 2.10 001, 2.10 002, 2.10 003, 2.10 004, 2.10 005, 2.11, 2.11 001, 2.11 002, 2.11 003, 2.11 004, 2.12, 2.12 001, 2.12 002, 2.12 003, 2.12 004, 2.12 005, 2.12 006, 2.12 007, 2.12 008
CanonicalUbuntu Linux12.04, 14.04, 16.04, 17.10
DebianDebian Linux8.0, 9.0

Vendor Advisories

The cPanel Security Team reported a time of check to time of use (TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees An attacker can take advantage of this flaw to set the mode on an attacker-chosen file to a attacker-chosen value For the stable distribution (jessie), this problem has been fixe ...
Debian Bug report logs - #863870 perl: File-Path rmtree/remove_tree race condition [CVE-2017-6512] Package: perl; Maintainer for perl is Niko Tyni <ntyni@debianorg>; Source for perl is src:perl (PTS, buildd, popcon) Reported by: Dominic Hargreaves <dom@earthli> Date: Thu, 1 Jun 2017 09:45:02 UTC Severity: critica ...
Several security issues were fixed in Perl ...
Race condition in the rmtree and remove_tree functions in the File-Path module before 213 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic ...
Several security issues were fixed in Perl ...
Oracle Solaris Third Party Bulletin - January 2019 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Criti ...

Github Repositories

Yair Available on Dockerhub Table of contents: Introduction Getting started Preview Return codes Image scoring Development Introduction Yair is an lightweight command-line-tool to interact with Clair It is designed for the execution inside a CI Job, for example to determine if an image can be deployed to the production environment It can also executed locally without much e