Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-6329Code Injection in Perl

CWE-94Code Injection11 documents9 sources
Severity
7.5HIGHNVD
EPSS
82.0%
top 0.79%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
PerlDebian Perl
Timeline
PublishedJan 4
Latest updateMay 17

Description

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

debiandebian/perl< perl 5.14.2-16 (bookworm)
Debianperl/perl< 5.14.2-16+3
NVDperl/perl5.16.2+31

Patches

Patch: perl5.git.perl.orgPatch: perl5.git.perl.org

🔴Vulnerability Details

2
GHSA
GHSA-g4g2-w92h-7fjc: The _compile function in Maketext2022-05-17
OSV
CVE-2012-6329: The _compile function in Maketext2013-01-04

💥Exploits & PoCs

4
Exploit-DB
Foswiki MAKETEXT - Remote Command Execution (Metasploit)2012-12-23
Exploit-DB
TWiki MAKETEXT - Remote Command Execution (Metasploit)2012-12-23
Metasploit
TWiki MAKETEXT Remote Command Execution
Metasploit
Foswiki MAKETEXT Remote Command Execution

📋Vendor Advisories

3
Ubuntu
Perl vulnerability2014-02-05
Red Hat
perl: possible arbitrary code execution via Locale::Maketext2012-12-04
Debian
CVE-2012-6329: perl - The _compile function in Maketext.pm in the Locale::Maketext implementation in P...2012

💬Community

1
Bugzilla
CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext2012-12-06