Detections
Analytics

Alpine: multiple perl-config-inifiles packages: security update to 3.002000-r0

high Tenable Cloud Security Plugin ID 443534

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a
 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a
 filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd
 |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as
 a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it
 through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is
 unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or
 truncate a file under the process UID. (CVE-2026-11527)

Solution

Update the perl-config-inifiles library and its related packages to version 3.002000-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-11527

Plugin Details

Severity: High

ID: 443534

Version: Revision 1.2

Type: Local

Published: 6/19/2026

Updated: 6/19/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-11527

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/14/2026

Reference Information

CVE: CVE-2026-11527