CVE-2011-4114

The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program. NOTE: a similar vulnerability was reported for PAR, but this has been assigned a different CVE identifier.

CVSS v2.0 3.3 LOW

3.3^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:M/Au:N/C:N/I:P/A:P

Exploitability : 3.4 / Impact : 4.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071099.html	Patch
http://www.openwall.com/lists/oss-security/2011/11/04/4
https://bugzilla.redhat.com/show_bug.cgi?id=753955	Patch
https://rt.cpan.org/Public/Bug/Display.html?id=69560
http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071091.html
http://www.openwall.com/lists/oss-security/2011/11/04/2

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:roderich_schupp:par-packer_module:1.008:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.941:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.64:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.72:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.82:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:1.006:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.75:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.66:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:1.007:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.71:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.78:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.69:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.70:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:1.009:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.954:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.957:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.977:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.942:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.970:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.76:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.89:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.955:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.981:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.88:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.979:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:1.005:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.992_03:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.960:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.94:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.90:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.980:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.956:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.959:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:1.001:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.67:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.973:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.73:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.86:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.992_06:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.953:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.81:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.976:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.992_01:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.952:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.83:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module::::::::
	cpe:2.3:a:roderich_schupp:par-packer_module:1.003:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.93:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.992_05:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.992_04:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.92:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.63:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.85:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:1.004:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.77:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.74:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.992_02:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.975:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.68:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.978:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:1.002:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.80:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.87:::::::*
	cpe:2.3:a:roderich_schupp:par-packer_module:0.991:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:0.79:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:0.958:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:1.000:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:0.951:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:1.010:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:0.91:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:0.982:::::::*
cpe:2.3:a:roderich_schupp:par-packer_module:0.65:::::::*

Information

Published : 2012-01-13 10:55

Updated : 2023-02-12 16:20

NVD link : CVE-2011-4114

Mitre link : CVE-2011-4114

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

roderich_schupp

par-packer_module

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071099.html", "name": "FEDORA-2011-16856", "tags": ["Patch"], "refsource": "FEDORA"}, {"url": "http://www.openwall.com/lists/oss-security/2011/11/04/4", "name": "[oss-security] 20111104 Re: CVE request: unsafe use of /tmp in multiple CPAN modules", "tags": [], "refsource": "MLIST"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=753955", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=753955", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://rt.cpan.org/Public/Bug/Display.html?id=69560", "name": "https://rt.cpan.org/Public/Bug/Display.html?id=69560", "tags": [], "refsource": "CONFIRM"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071091.html", "name": "FEDORA-2011-16859", "tags": [], "refsource": "FEDORA"}, {"url": "http://www.openwall.com/lists/oss-security/2011/11/04/2", "name": "[oss-security] 20111104 CVE request: unsafe use of /tmp in multiple CPAN modules", "tags": [], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program. NOTE: a similar vulnerability was reported for PAR, but this has been assigned a different CVE identifier."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-4114", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 3.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 4.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2012-01-13T18:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.008:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.941:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.64:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.72:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.82:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.006:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.75:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.66:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.007:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.71:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.78:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.69:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.70:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.009:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.954:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.957:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.977:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.942:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.970:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.76:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.89:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.955:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.981:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.88:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.979:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.005:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.992_03:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.960:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.94:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.90:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.980:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.956:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.959:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.001:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.67:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.973:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.73:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.86:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.992_06:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.953:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.81:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.976:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.992_01:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.952:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.83:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.011"}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.003:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.93:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.992_05:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.992_04:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.92:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.63:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.85:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.004:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.77:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.74:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.992_02:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.975:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.68:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.978:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.002:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.80:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.87:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.991:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.79:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.958:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.000:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.951:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:1.010:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.91:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.982:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roderich_schupp:par-packer_module:0.65:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T00:20Z"}

3.3 /10