Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2004-2022 — Classic Buffer Overflow in Activeperl

CWE-120 — Classic Buffer Overflow CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-347 — Improper Verification of Cryptographic Signature6 documents6 sources

Severity

2.1LOWNVD

GHSA5.0CISA7.8

EPSS

1.5%

top 19.03%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Activestate Activeperl

Timeline

PublishedDec 31

Latest updateOct 6

Description

ActivePerl 5.8.x and others, and Larry Wall's Perl 5.6.1 and others, when running on Windows systems, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the system command, which leads to a stack-based buffer overflow. NOTE: it is unclear whether this bug is in Perl or the OS API that is used by Perl.

CVSS vector

AV:L/AC:L/C:N/I:N/A:PExploitability: 3.9 | Impact: 2.9

Affected Packages1 packages

▶NVDactivestate/activeperl8 versions+7

🔴Vulnerability Details

GHSA

SIF's Digital Signature Hash Algorithms Not Validated↗2022-10-06

▶

GHSA

GHSA-6g7x-c8vf-63fq: ActivePerl 5↗2022-04-29

▶

CVEList

CVE-2004-2022: ActivePerl 5↗2005-05-10

▶

💥Exploits & PoCs

Exploit-DB

ActivePerl 5.x / Cygwin 1.5.x - System Function Call Buffer Overflow↗2004-05-18

▶

📋Vendor Advisories

CISA

Microsoft Windows Privilege Escalation Vulnerability↗2022-03-03

▶