Search criteria
2 vulnerabilities by RRWO
CVE-2025-40911 (GCVE-0-2025-40911)
Vulnerability from cvelistv5 – Published: 2025-05-27 21:17 – Updated: 2025-05-28 13:56
VLAI?
Summary
Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.
Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.
Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.
Severity ?
6.5 (Medium)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RRWO | Net::CIDR::Set |
Affected:
0.10 , ≤ 0.13
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T13:38:44.822895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T13:56:12.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR-Set",
"product": "Net::CIDR::Set",
"repo": "https://github.com/robrwo/perl-Net-CIDR-Set",
"vendor": "RRWO",
"versions": [
{
"lessThanOrEqual": "0.13",
"status": "affected",
"version": "0.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.\u003cbr\u003e\u003cbr\u003eLeading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.\u003cbr\u003e\u003cbr\u003eNet::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154."
}
],
"value": "Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.\n\nLeading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.\n\nNet::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287 Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T21:17:42.238Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Net-CIDR-Set-0.14/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a.patch"
},
{
"tags": [
"related"
],
"url": "https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to version 0.14, or apply the patch provided by the module author."
}
],
"value": "Update to version 0.14, or apply the patch provided by the module author."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40911",
"datePublished": "2025-05-27T21:17:42.238Z",
"dateReserved": "2025-04-16T09:05:34.361Z",
"dateUpdated": "2025-05-28T13:56:12.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3051 (GCVE-0-2025-3051)
Vulnerability from cvelistv5 – Published: 2025-04-01 02:20 – Updated: 2025-04-01 18:30
VLAI?
Summary
Linux::Statm::Tiny for Perl before 0.0701 allows untrusted code from the current working directory ('.') to be loaded similar to CVE-2016-1238.
If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution.
Linux::Statm::Tiny uses Mite to produce the affected code section due to CVE-2025-30672
Severity ?
6.5 (Medium)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RRWO | Linux::Statm::Tiny |
Affected:
0 , < 0.0701
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-3051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T18:29:49.888428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T18:30:09.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Linux-Statm-Tiny",
"product": "Linux::Statm::Tiny",
"programFiles": [
"lib/Linux/Statm/Tiny/Mite.pm"
],
"repo": "https://github.com/robrwo/Linux-Statm-Tiny",
"vendor": "RRWO",
"versions": [
{
"lessThan": "0.0701",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Linux::Statm::Tiny for Perl before 0.0701 allows untrusted code from the current working directory (\u0027.\u0027) to be loaded similar to CVE-2016-1238.\u003cbr\u003e\u003cbr\u003eIf an attacker can place a malicious file in current working directory, it may be\u0026nbsp;loaded instead of the intended file, potentially leading to arbitrary\u0026nbsp;code execution.\u003cbr\u003e\u003cbr\u003eLinux::Statm::Tiny uses Mite to produce the affected code section due to\u0026nbsp;CVE-2025-30672"
}
],
"value": "Linux::Statm::Tiny for Perl before 0.0701 allows untrusted code from the current working directory (\u0027.\u0027) to be loaded similar to CVE-2016-1238.\n\nIf an attacker can place a malicious file in current working directory, it may be\u00a0loaded instead of the intended file, potentially leading to arbitrary\u00a0code execution.\n\nLinux::Statm::Tiny uses Mite to produce the affected code section due to\u00a0CVE-2025-30672"
}
],
"impacts": [
{
"capecId": "CAPEC-38",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T02:20:40.971Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Linux-Statm-Tiny-0.0701/changes"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/RRWO/Linux-Statm-Tiny-0.0700/source/lib/Linux/Statm/Tiny/Mite.pm#L82"
},
{
"tags": [
"related"
],
"url": "https://blogs.perl.org/users/todd_rinaldo/2016/11/what-happened-to-dot-in-inc.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Version 0.0701 of Linux::Statm::Tiny\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003ewas released to address the issue. Users should update to the latest version.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Version 0.0701 of Linux::Statm::Tiny\u00a0was released to address the issue. Users should update to the latest version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Linux::Statm::Tiny for Perl allows untrusted code to be included from the current working directory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-3051",
"datePublished": "2025-04-01T02:20:40.971Z",
"dateReserved": "2025-03-31T16:00:05.354Z",
"dateUpdated": "2025-04-01T18:30:09.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}