What is CVE-2016-2381?

CVE-2016-2381 is a high-severity software vulnerability (Improper input validation) with a CVSS score of 7.5. Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

Is CVE-2016-2381 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 9%.

What products does CVE-2016-2381 affect?

Tracked products affected include Ubuntu, Perl. Check the version you run to see whether it is affected.

How do I fix CVE-2016-2381?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

← All products

CVE-2016-2381

HIGH severity · CVSS 7.5 · Improper input validation

7.5CVSS HIGH

Summary

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)9%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products we track (2)

Ubuntu Perl

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076Advisory
http://lists.opensuse.org/opensuse-updates/2016-03/msg00112.htmlAdvisory
http://www.debian.org/security/2016/dsa-3501Advisory
http://www.gossamer-threads.com/lists/perl/porters/326387Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlAdvisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlAdvisory
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.htmlAdvisory
http://www.securityfocus.com/bid/83802Advisory