CVE-2014-4330

low
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.

References

http://advisories.mageia.org/MGASA-2014-0406.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-September/139441.html

http://packetstormsecurity.com/files/128422/Perl-5.20.1-Deep-Recursion-Stack-Overflow.html

http://seclists.org/fulldisclosure/2014/Sep/84

http://seclists.org/oss-sec/2014/q3/692

http://secunia.com/advisories/61441

http://secunia.com/advisories/61961

http://www.mandriva.com/security/advisories?name=MDVSA-2015:136

http://www.nntp.perl.org/group/perl.perl5.porters/2014/09/msg220118.html

http://www.securityfocus.com/archive/1/533543/100/0/threaded

http://www.securityfocus.com/bid/70142

http://www.ubuntu.com/usn/USN-2916-1

https://exchange.xforce.ibmcloud.com/vulnerabilities/96216

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731

https://metacpan.org/pod/distribution/Data-Dumper/Changes

https://www.lsexperts.de/advisories/lse-2014-06-10.txt

Details

Source: MITRE

Published: 2014-09-30

Updated: 2018-10-09

Type: CWE-119

Risk Information

CVSS v2

Base Score: 2.1

Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:* versions up to 5.20.1 (inclusive)

Configuration 2

OR

cpe:2.3:a:data_dumper_project:data_dumper:*:*:*:*:*:*:*:* versions up to 2.151 (inclusive)

Tenable Plugins

View all (18 total)

IDNameProductFamilySeverity
154394EulerOS 2.0 SP3 : perl-Data-Dumper (EulerOS-SA-2021-2604)NessusHuawei Local Security Checks
low
153306EulerOS 2.0 SP2 : perl-Data-Dumper (EulerOS-SA-2021-2420)NessusHuawei Local Security Checks
low
141666EulerOS Virtualization 3.0.2.2 : perl (EulerOS-SA-2020-2229)NessusHuawei Local Security Checks
medium
138001EulerOS Virtualization 3.0.6.0 : perl-Data-Dumper (EulerOS-SA-2020-1782)NessusHuawei Local Security Checks
low
137963EulerOS Virtualization 3.0.6.0 : perl (EulerOS-SA-2020-1744)NessusHuawei Local Security Checks
low
136256EulerOS Virtualization for ARM 64 3.0.2.0 : perl-Data-Dumper (EulerOS-SA-2020-1553)NessusHuawei Local Security Checks
low
136230EulerOS Virtualization for ARM 64 3.0.2.0 : perl (EulerOS-SA-2020-1527)NessusHuawei Local Security Checks
high
134809EulerOS 2.0 SP5 : perl (EulerOS-SA-2020-1318)NessusHuawei Local Security Checks
low
133924EulerOS 2.0 SP5 : perl-Data-Dumper (EulerOS-SA-2020-1123)NessusHuawei Local Security Checks
low
132183EulerOS 2.0 SP3 : perl (EulerOS-SA-2019-2648)NessusHuawei Local Security Checks
high
131911EulerOS 2.0 SP2 : perl (EulerOS-SA-2019-2419)NessusHuawei Local Security Checks
high
89100Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : perl vulnerabilities (USN-2916-1)NessusUbuntu Local Security Checks
high
82389Mandriva Linux Security Advisory : perl (MDVSA-2015:136)NessusMandriva Local Security Checks
low
80735Oracle Solaris Third-Party Patch Update : perl (cve_2014_4330_buffer_errors)NessusSolaris Local Security Checks
low
78667SuSE 11.3 Security Update : perl (SAT Patch Number 9858)NessusSuSE Local Security Checks
low
78615Mandriva Linux Security Advisory : perl (MDVSA-2014:199)NessusMandriva Local Security Checks
low
78094Fedora 19 : perl-Data-Dumper-2.154-1.fc19 (2014-11428)NessusFedora Local Security Checks
low
77938Fedora 20 : perl-Data-Dumper-2.154-1.fc20 (2014-11453)NessusFedora Local Security Checks
low