RHSA-2026:7604
Vulnerability from csaf_redhat - Published: 2026-04-10 22:59 - Updated: 2026-04-21 13:31Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
perl:
* perl-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-Attribute-Handlers-1.03-524.1.hum1 (noarch)
* perl-AutoLoader-5.74-524.1.hum1 (noarch)
* perl-AutoSplit-5.74-524.1.hum1 (noarch)
* perl-B-1.89-524.1.hum1 (aarch64, x86_64)
* perl-Benchmark-1.27-524.1.hum1 (noarch)
* perl-Class-Struct-0.68-524.1.hum1 (noarch)
* perl-Config-Extensions-0.03-524.1.hum1 (noarch)
* perl-DBM_Filter-0.07-524.1.hum1 (noarch)
* perl-Devel-Peek-1.36-524.1.hum1 (aarch64, x86_64)
* perl-Devel-SelfStubber-1.06-524.1.hum1 (noarch)
* perl-DirHandle-1.05-524.1.hum1 (noarch)
* perl-Dumpvalue-2.27-524.1.hum1 (noarch)
* perl-DynaLoader-1.57-524.1.hum1 (aarch64, x86_64)
* perl-English-1.11-524.1.hum1 (noarch)
* perl-Errno-1.38-524.1.hum1 (aarch64, x86_64)
* perl-ExtUtils-Constant-0.25-524.1.hum1 (noarch)
* perl-ExtUtils-Embed-1.35-524.1.hum1 (noarch)
* perl-ExtUtils-Miniperl-1.14-524.1.hum1 (noarch)
* perl-Fcntl-1.20-524.1.hum1 (aarch64, x86_64)
* perl-File-Basename-2.86-524.1.hum1 (noarch)
* perl-File-Compare-1.100.800-524.1.hum1 (noarch)
* perl-File-Copy-2.41-524.1.hum1 (noarch)
* perl-File-DosGlob-1.12-524.1.hum1 (aarch64, x86_64)
* perl-File-Find-1.44-524.1.hum1 (noarch)
* perl-File-stat-1.14-524.1.hum1 (noarch)
* perl-FileCache-1.10-524.1.hum1 (noarch)
* perl-FileHandle-2.05-524.1.hum1 (noarch)
* perl-FindBin-1.54-524.1.hum1 (noarch)
* perl-GDBM_File-1.24-524.1.hum1 (aarch64, x86_64)
* perl-Getopt-Std-1.14-524.1.hum1 (noarch)
* perl-Hash-Util-0.32-524.1.hum1 (aarch64, x86_64)
* perl-Hash-Util-FieldHash-1.27-524.1.hum1 (aarch64, x86_64)
* perl-I18N-Collate-1.02-524.1.hum1 (noarch)
* perl-I18N-LangTags-0.45-524.1.hum1 (noarch)
* perl-I18N-Langinfo-0.24-524.1.hum1 (aarch64, x86_64)
* perl-IO-1.55-524.1.hum1 (aarch64, x86_64)
* perl-IPC-Open3-1.24-524.1.hum1 (noarch)
* perl-Locale-Maketext-Simple-0.21-524.1.hum1 (noarch)
* perl-Math-Complex-1.63-524.1.hum1 (noarch)
* perl-Memoize-1.17-524.1.hum1 (noarch)
* perl-Module-Loaded-0.08-524.1.hum1 (noarch)
* perl-NDBM_File-1.18-524.1.hum1 (aarch64, x86_64)
* perl-NEXT-0.69-524.1.hum1 (noarch)
* perl-Net-1.04-524.1.hum1 (noarch)
* perl-ODBM_File-1.20-524.1.hum1 (aarch64, x86_64)
* perl-Opcode-1.69-524.1.hum1 (aarch64, x86_64)
* perl-POSIX-2.23-524.1.hum1 (aarch64, x86_64)
* perl-Pod-Functions-1.14-524.1.hum1 (noarch)
* perl-Pod-Html-1.35-524.1.hum1 (noarch)
* perl-Safe-2.47-524.1.hum1 (noarch)
* perl-Search-Dict-1.08-524.1.hum1 (noarch)
* perl-SelectSaver-1.02-524.1.hum1 (noarch)
* perl-SelfLoader-1.28-524.1.hum1 (noarch)
* perl-Symbol-1.09-524.1.hum1 (noarch)
* perl-Sys-Hostname-1.25-524.1.hum1 (aarch64, x86_64)
* perl-Term-Complete-1.403-524.1.hum1 (noarch)
* perl-Term-ReadLine-1.17-524.1.hum1 (noarch)
* perl-Test-1.31-524.1.hum1 (noarch)
* perl-Text-Abbrev-1.02-524.1.hum1 (noarch)
* perl-Thread-3.06-524.1.hum1 (noarch)
* perl-Thread-Semaphore-2.13-524.1.hum1 (noarch)
* perl-Tie-4.6-524.1.hum1 (noarch)
* perl-Tie-File-1.10-524.1.hum1 (noarch)
* perl-Tie-Memoize-1.1-524.1.hum1 (noarch)
* perl-Time-1.04-524.1.hum1 (noarch)
* perl-Time-Piece-1.3600-524.1.hum1 (aarch64, x86_64)
* perl-Unicode-UCD-0.81-524.1.hum1 (noarch)
* perl-User-pwent-1.05-524.1.hum1 (noarch)
* perl-autouse-1.11-524.1.hum1 (noarch)
* perl-base-2.27-524.1.hum1 (noarch)
* perl-blib-1.07-524.1.hum1 (noarch)
* perl-debugger-1.60-524.1.hum1 (noarch)
* perl-deprecate-0.04-524.1.hum1 (noarch)
* perl-devel-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-diagnostics-1.40-524.1.hum1 (noarch)
* perl-doc-5.42.2-524.1.hum1 (noarch)
* perl-encoding-warnings-0.14-524.1.hum1 (noarch)
* perl-fields-2.27-524.1.hum1 (noarch)
* perl-filetest-1.03-524.1.hum1 (noarch)
* perl-if-0.61.000-524.1.hum1 (noarch)
* perl-interpreter-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-less-0.03-524.1.hum1 (noarch)
* perl-lib-0.65-524.1.hum1 (aarch64, x86_64)
* perl-libnetcfg-5.42.2-524.1.hum1 (noarch)
* perl-libs-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-locale-1.13-524.1.hum1 (noarch)
* perl-macros-5.42.2-524.1.hum1 (noarch)
* perl-meta-notation-5.42.2-524.1.hum1 (noarch)
* perl-mro-1.29-524.1.hum1 (aarch64, x86_64)
* perl-open-1.13-524.1.hum1 (noarch)
* perl-overload-1.40-524.1.hum1 (noarch)
* perl-overloading-0.02-524.1.hum1 (noarch)
* perl-ph-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-sigtrap-1.10-524.1.hum1 (noarch)
* perl-sort-2.06-524.1.hum1 (noarch)
* perl-subs-1.04-524.1.hum1 (noarch)
* perl-tests-5.42.2-524.1.hum1 (aarch64, x86_64)
* perl-utils-5.42.2-524.1.hum1 (noarch)
* perl-vars-1.05-524.1.hum1 (noarch)
* perl-vmsish-1.04-524.1.hum1 (noarch)
* perl-5.42.2-524.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
5.4 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
8.1 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
7.0 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
6.5 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
7.0 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
8.6 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
Workaround
To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
Workaround
To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.
A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.
7.4 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server.
8.1 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7604
References
Acknowledgments
the Perl project
Jayakrishna Menon
Eiichi Tsukata
Jakub Wilk
Hugo van der Sanden
Slaven Rezic
Sergey Aleynikov
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nperl:\n * perl-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-Attribute-Handlers-1.03-524.1.hum1 (noarch)\n * perl-AutoLoader-5.74-524.1.hum1 (noarch)\n * perl-AutoSplit-5.74-524.1.hum1 (noarch)\n * perl-B-1.89-524.1.hum1 (aarch64, x86_64)\n * perl-Benchmark-1.27-524.1.hum1 (noarch)\n * perl-Class-Struct-0.68-524.1.hum1 (noarch)\n * perl-Config-Extensions-0.03-524.1.hum1 (noarch)\n * perl-DBM_Filter-0.07-524.1.hum1 (noarch)\n * perl-Devel-Peek-1.36-524.1.hum1 (aarch64, x86_64)\n * perl-Devel-SelfStubber-1.06-524.1.hum1 (noarch)\n * perl-DirHandle-1.05-524.1.hum1 (noarch)\n * perl-Dumpvalue-2.27-524.1.hum1 (noarch)\n * perl-DynaLoader-1.57-524.1.hum1 (aarch64, x86_64)\n * perl-English-1.11-524.1.hum1 (noarch)\n * perl-Errno-1.38-524.1.hum1 (aarch64, x86_64)\n * perl-ExtUtils-Constant-0.25-524.1.hum1 (noarch)\n * perl-ExtUtils-Embed-1.35-524.1.hum1 (noarch)\n * perl-ExtUtils-Miniperl-1.14-524.1.hum1 (noarch)\n * perl-Fcntl-1.20-524.1.hum1 (aarch64, x86_64)\n * perl-File-Basename-2.86-524.1.hum1 (noarch)\n * perl-File-Compare-1.100.800-524.1.hum1 (noarch)\n * perl-File-Copy-2.41-524.1.hum1 (noarch)\n * perl-File-DosGlob-1.12-524.1.hum1 (aarch64, x86_64)\n * perl-File-Find-1.44-524.1.hum1 (noarch)\n * perl-File-stat-1.14-524.1.hum1 (noarch)\n * perl-FileCache-1.10-524.1.hum1 (noarch)\n * perl-FileHandle-2.05-524.1.hum1 (noarch)\n * perl-FindBin-1.54-524.1.hum1 (noarch)\n * perl-GDBM_File-1.24-524.1.hum1 (aarch64, x86_64)\n * perl-Getopt-Std-1.14-524.1.hum1 (noarch)\n * perl-Hash-Util-0.32-524.1.hum1 (aarch64, x86_64)\n * perl-Hash-Util-FieldHash-1.27-524.1.hum1 (aarch64, x86_64)\n * perl-I18N-Collate-1.02-524.1.hum1 (noarch)\n * perl-I18N-LangTags-0.45-524.1.hum1 (noarch)\n * perl-I18N-Langinfo-0.24-524.1.hum1 (aarch64, x86_64)\n * perl-IO-1.55-524.1.hum1 (aarch64, x86_64)\n * perl-IPC-Open3-1.24-524.1.hum1 (noarch)\n * perl-Locale-Maketext-Simple-0.21-524.1.hum1 (noarch)\n * perl-Math-Complex-1.63-524.1.hum1 (noarch)\n * perl-Memoize-1.17-524.1.hum1 (noarch)\n * perl-Module-Loaded-0.08-524.1.hum1 (noarch)\n * perl-NDBM_File-1.18-524.1.hum1 (aarch64, x86_64)\n * perl-NEXT-0.69-524.1.hum1 (noarch)\n * perl-Net-1.04-524.1.hum1 (noarch)\n * perl-ODBM_File-1.20-524.1.hum1 (aarch64, x86_64)\n * perl-Opcode-1.69-524.1.hum1 (aarch64, x86_64)\n * perl-POSIX-2.23-524.1.hum1 (aarch64, x86_64)\n * perl-Pod-Functions-1.14-524.1.hum1 (noarch)\n * perl-Pod-Html-1.35-524.1.hum1 (noarch)\n * perl-Safe-2.47-524.1.hum1 (noarch)\n * perl-Search-Dict-1.08-524.1.hum1 (noarch)\n * perl-SelectSaver-1.02-524.1.hum1 (noarch)\n * perl-SelfLoader-1.28-524.1.hum1 (noarch)\n * perl-Symbol-1.09-524.1.hum1 (noarch)\n * perl-Sys-Hostname-1.25-524.1.hum1 (aarch64, x86_64)\n * perl-Term-Complete-1.403-524.1.hum1 (noarch)\n * perl-Term-ReadLine-1.17-524.1.hum1 (noarch)\n * perl-Test-1.31-524.1.hum1 (noarch)\n * perl-Text-Abbrev-1.02-524.1.hum1 (noarch)\n * perl-Thread-3.06-524.1.hum1 (noarch)\n * perl-Thread-Semaphore-2.13-524.1.hum1 (noarch)\n * perl-Tie-4.6-524.1.hum1 (noarch)\n * perl-Tie-File-1.10-524.1.hum1 (noarch)\n * perl-Tie-Memoize-1.1-524.1.hum1 (noarch)\n * perl-Time-1.04-524.1.hum1 (noarch)\n * perl-Time-Piece-1.3600-524.1.hum1 (aarch64, x86_64)\n * perl-Unicode-UCD-0.81-524.1.hum1 (noarch)\n * perl-User-pwent-1.05-524.1.hum1 (noarch)\n * perl-autouse-1.11-524.1.hum1 (noarch)\n * perl-base-2.27-524.1.hum1 (noarch)\n * perl-blib-1.07-524.1.hum1 (noarch)\n * perl-debugger-1.60-524.1.hum1 (noarch)\n * perl-deprecate-0.04-524.1.hum1 (noarch)\n * perl-devel-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-diagnostics-1.40-524.1.hum1 (noarch)\n * perl-doc-5.42.2-524.1.hum1 (noarch)\n * perl-encoding-warnings-0.14-524.1.hum1 (noarch)\n * perl-fields-2.27-524.1.hum1 (noarch)\n * perl-filetest-1.03-524.1.hum1 (noarch)\n * perl-if-0.61.000-524.1.hum1 (noarch)\n * perl-interpreter-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-less-0.03-524.1.hum1 (noarch)\n * perl-lib-0.65-524.1.hum1 (aarch64, x86_64)\n * perl-libnetcfg-5.42.2-524.1.hum1 (noarch)\n * perl-libs-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-locale-1.13-524.1.hum1 (noarch)\n * perl-macros-5.42.2-524.1.hum1 (noarch)\n * perl-meta-notation-5.42.2-524.1.hum1 (noarch)\n * perl-mro-1.29-524.1.hum1 (aarch64, x86_64)\n * perl-open-1.13-524.1.hum1 (noarch)\n * perl-overload-1.40-524.1.hum1 (noarch)\n * perl-overloading-0.02-524.1.hum1 (noarch)\n * perl-ph-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-sigtrap-1.10-524.1.hum1 (noarch)\n * perl-sort-2.06-524.1.hum1 (noarch)\n * perl-subs-1.04-524.1.hum1 (noarch)\n * perl-tests-5.42.2-524.1.hum1 (aarch64, x86_64)\n * perl-utils-5.42.2-524.1.hum1 (noarch)\n * perl-vars-1.05-524.1.hum1 (noarch)\n * perl-vmsish-1.04-524.1.hum1 (noarch)\n * perl-5.42.2-524.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7604",
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-31486",
"url": "https://access.redhat.com/security/cve/CVE-2023-31486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-31484",
"url": "https://access.redhat.com/security/cve/CVE-2023-31484"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2020-12723",
"url": "https://access.redhat.com/security/cve/CVE-2020-12723"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2020-10878",
"url": "https://access.redhat.com/security/cve/CVE-2020-10878"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18314",
"url": "https://access.redhat.com/security/cve/CVE-2018-18314"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18313",
"url": "https://access.redhat.com/security/cve/CVE-2018-18313"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18312",
"url": "https://access.redhat.com/security/cve/CVE-2018-18312"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-18311",
"url": "https://access.redhat.com/security/cve/CVE-2018-18311"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-12015",
"url": "https://access.redhat.com/security/cve/CVE-2018-12015"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7604.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-21T13:31:12+00:00",
"generator": {
"date": "2026-04-21T13:31:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:7604",
"initial_release_date": "2026-04-10T22:59:35+00:00",
"revision_history": [
{
"date": "2026-04-10T22:59:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-21T02:54:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-21T13:31:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@aarch64",
"product": {
"name": "perl-main@aarch64",
"product_id": "perl-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@src",
"product": {
"name": "perl-main@src",
"product_id": "perl-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@x86_64",
"product": {
"name": "perl-main@x86_64",
"product_id": "perl-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@noarch",
"product": {
"name": "perl-main@noarch",
"product_id": "perl-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl-Attribute-Handlers@1.03-524.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@aarch64"
},
"product_reference": "perl-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@noarch"
},
"product_reference": "perl-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@src"
},
"product_reference": "perl-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@x86_64"
},
"product_reference": "perl-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-12015",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1588760"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Directory traversal in Archive::Tar",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-12015"
},
{
"category": "external",
"summary": "RHBZ#1588760",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588760"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-12015",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12015"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12015"
}
],
"release_date": "2018-06-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Directory traversal in Archive::Tar"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Jayakrishna Menon"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18311",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646730"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Integer overflow leading to buffer overflow in Perl_my_setenv()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is present in versions of perl included with Red Hat Virtualization Hypervisor and Management Appliance, however it is not exposed in any meaningful way. Perl is only included in these images as a dependency of components which do not manipulate ENV, and are not exposed to user input. A future update may address this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18311"
},
{
"category": "external",
"summary": "RHBZ#1646730",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646730"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18311",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18311"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18311",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18311"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "perl: Integer overflow leading to buffer overflow in Perl_my_setenv()"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Eiichi Tsukata"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18312",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646734"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Heap-based buffer overflow in S_handle_regex_sets()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18312"
},
{
"category": "external",
"summary": "RHBZ#1646734",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646734"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18312",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18312"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18312",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18312"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Heap-based buffer overflow in S_handle_regex_sets()"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Eiichi Tsukata"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18313",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646738"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Heap-based buffer read overflow in S_grok_bslash_N()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18313"
},
{
"category": "external",
"summary": "RHBZ#1646738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646738"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18313",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18313"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "perl: Heap-based buffer read overflow in S_grok_bslash_N()"
},
{
"acknowledgments": [
{
"names": [
"the Perl project"
]
},
{
"names": [
"Jakub Wilk"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-18314",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"discovery_date": "2018-11-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1646751"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Heap-based buffer overflow in S_regatom()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-18314"
},
{
"category": "external",
"summary": "RHBZ#1646751",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1646751"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-18314",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-18314"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-18314",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18314"
}
],
"release_date": "2018-11-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Heap-based buffer overflow in S_regatom()"
},
{
"acknowledgments": [
{
"names": [
"Hugo van der Sanden",
"Slaven Rezic"
]
}
],
"cve": "CVE-2020-10878",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2020-05-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1837988"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.30.3 has an integer overflow related to mishandling of a \"PL_regkind[OP(n)] == NOTHING\" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is an integer overflow triggered when an application compiles a specially crafted, untrusted regular expression pattern supplied by a user, as most applications match untrusted data against a trusted regex pattern.The flaw leads to a corruption of the intermediate language state. While this could theoretically allow an attacker to insert instructions, the resulting behavior is unpredictable, and any potential code execution is likely outside of an attacker\u0027s reliable control. Therefore, the most probable and practical impact is an application crash, resulting in a Denial of Service (DoS).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10878"
},
{
"category": "external",
"summary": "RHBZ#1837988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1837988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10878",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10878"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878"
}
],
"release_date": "2020-06-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
},
{
"category": "workaround",
"details": "To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS"
},
{
"acknowledgments": [
{
"names": [
"Sergey Aleynikov"
]
}
],
"cve": "CVE-2020-12723",
"cwe": {
"id": "CWE-624",
"name": "Executable Regular Expression Error"
},
"discovery_date": "2020-05-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838000"
}
],
"notes": [
{
"category": "description",
"text": "regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: corruption of intermediate language state of compiled regular expression due to recursive S_study_chunk() calls leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A vulnerability in the Perl regular expression compiler affects Red Hat Enterprise Linux 7 and 8. The flaw exists in the S_study_chunk() function\u0027s handling of GOSUB opcodes during regular expression compilation. When processing untrusted regular expressions, recursive calls to S_study_chunk() can corrupt the intermediate language state, allowing an attacker to inject malicious instructions into the compiled regular expression. This network-accessible vulnerability can lead to denial of service. To mitigate, applications should not allow compilation of untrusted regular expressions. Note that this issue affects regular expression compilation, not pattern matching against untrusted input.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-12723"
},
{
"category": "external",
"summary": "RHBZ#1838000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-12723",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12723"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723"
}
],
"release_date": "2020-06-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
},
{
"category": "workaround",
"details": "To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: corruption of intermediate language state of compiled regular expression due to recursive S_study_chunk() calls leads to DoS"
},
{
"cve": "CVE-2023-31484",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2023-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2218667"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Perl\u0027s CPAN, which doesn\u0027t check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-31484"
},
{
"category": "external",
"summary": "RHBZ#2218667",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218667"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-31484",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484"
}
],
"release_date": "2023-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS"
},
{
"cve": "CVE-2023-31486",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2023-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2228392"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=\u003e1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http-tiny: perl: insecure TLS cert default",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as a moderate severity because, it does not compromise data or credentials, it exposes users to significant security risks if HTTPS connections are not properly configured.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-31486"
},
{
"category": "external",
"summary": "RHBZ#2228392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-31486",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-31486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31486"
}
],
"release_date": "2023-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T22:59:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7604"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http-tiny: perl: insecure TLS cert default"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…