CVE-2016-1238

high

Published 2016-08-02 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.8

Description

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

OS	Version	Status	Fixed in
sles		affected
fedora	23	affected
fedora	24	affected
suse	15.0	affected
debian	8.0	affected
debian	bookworm	fixed	`5.22.2-3`
debian	bullseye	fixed	`5.22.2-3`
debian	forky	fixed	`5.22.2-3`
debian	sid	fixed	`5.22.2-3`
debian	trixie	fixed	`5.22.2-3`

Application impact

Vendor	Product	Versions	Fixed
perl	perl	`5.13.10`
perl	perl	`1.0.15`
perl	perl	`1.0.16`
perl	perl	`5.000`
perl	perl	`5.000o`
perl	perl	`5.001`
perl	perl	`5.001n`
perl	perl	`5.002`
perl	perl	`5.002_01`
perl	perl	`5.003`
perl	perl	`5.003_01`
perl	perl	`5.003_02`
perl	perl	`5.003_03`
perl	perl	`5.003_04`
perl	perl	`5.003_05`
perl	perl	`5.003_07`
perl	perl	`5.003_08`
perl	perl	`5.003_09`
perl	perl	`5.003_10`
perl	perl	`5.003_11`
perl	perl	`5.003_12`
perl	perl	`5.003_13`
perl	perl	`5.003_14`
perl	perl	`5.003_15`
perl	perl	`5.003_16`
perl	perl	`5.003_17`
perl	perl	`5.003_18`
perl	perl	`5.003_19`
perl	perl	`5.003_20`
perl	perl	`5.003_21`
perl	perl	`5.003_22`
perl	perl	`5.003_23`
perl	perl	`5.003_24`
perl	perl	`5.003_25`
perl	perl	`5.003_26`
perl	perl	`5.003_27`
perl	perl	`5.003_28`
perl	perl	`5.003_90`
perl	perl	`5.003_91`
perl	perl	`5.003_92`
perl	perl	`5.003_93`
perl	perl	`5.003_94`
perl	perl	`5.003_95`
perl	perl	`5.003_96`
perl	perl	`5.003_97`
perl	perl	`5.003_97a`
perl	perl	`5.003_97b`
perl	perl	`5.003_97c`
perl	perl	`5.003_97d`
perl	perl	`5.003_97e`
perl	perl	`5.003_97f`
perl	perl	`5.003_97g`
perl	perl	`5.003_97h`
perl	perl	`5.003_97i`
perl	perl	`5.003_97j`
perl	perl	`5.003_98`
perl	perl	`5.003_99`
perl	perl	`5.003_99a`
perl	perl	`5.004`
perl	perl	`5.004_01`
perl	perl	`5.004_02`
perl	perl	`5.004_03`
perl	perl	`5.004_04`
perl	perl	`5.004_05`
perl	perl	`5.005`
perl	perl	`5.005_01`
perl	perl	`5.005_02`
perl	perl	`5.005_03`
perl	perl	`5.005_04`
perl	perl	`5.6`
perl	perl	`5.6.0`
perl	perl	`5.6.1`
perl	perl	`5.6.2`
perl	perl	`5.7.3`
perl	perl	`5.8`
perl	perl	`5.8.0`
perl	perl	`5.8.1`
perl	perl	`5.8.2`
perl	perl	`5.8.3`
perl	perl	`5.8.4`
perl	perl	`5.8.5`
perl	perl	`5.8.6`
perl	perl	`5.8.7`
perl	perl	`5.8.8`
perl	perl	`5.8.9`
perl	perl	`5.9.0`
perl	perl	`5.9.1`
perl	perl	`5.9.2`
perl	perl	`5.9.3`
perl	perl	`5.9.4`
perl	perl	`5.9.5`
perl	perl	`5.10`
perl	perl	`5.10.0`
perl	perl	`5.10.1`
perl	perl	`5.11.0`
perl	perl	`5.11.1`
perl	perl	`5.11.2`
perl	perl	`5.11.3`
perl	perl	`5.11.4`
perl	perl	`5.11.5`
perl	perl	`5.12.0`
perl	perl	`5.12.1`
perl	perl	`5.12.2`
perl	perl	`5.12.3`
perl	perl	`5.12.4`
perl	perl	`5.12.5`
perl	perl	`5.13.0`
perl	perl	`5.13.1`
perl	perl	`5.13.2`
perl	perl	`5.13.3`
perl	perl	`5.13.4`
perl	perl	`5.13.5`
perl	perl	`5.13.6`
perl	perl	`5.13.7`
perl	perl	`5.13.8`
perl	perl	`5.13.9`
perl	perl	`5.13.11`
perl	perl	`5.14.0`
perl	perl	`5.14.1`
perl	perl	`5.14.2`
perl	perl	`5.14.3`
perl	perl	`5.14.4`
perl	perl	`5.15.0`
perl	perl	`5.15.1`
perl	perl	`5.15.2`
perl	perl	`5.15.3`
perl	perl	`5.15.4`
perl	perl	`5.15.5`
perl	perl	`5.15.6`
perl	perl	`5.15.7`
perl	perl	`5.15.8`
perl	perl	`5.15.9`
perl	perl	`5.16.0`
perl	perl	`5.16.1`
perl	perl	`5.16.2`
perl	perl	`5.16.3`
perl	perl	`5.17.0`
perl	perl	`5.17.1`
perl	perl	`5.17.2`
perl	perl	`5.17.3`
perl	perl	`5.17.4`
perl	perl	`5.17.5`
perl	perl	`5.17.6`
perl	perl	`5.17.7`
perl	perl	`5.17.7.0`
perl	perl	`5.17.8`
perl	perl	`5.17.9`
perl	perl	`5.17.10`
perl	perl	`5.17.11`
perl	perl	`5.18.0`
perl	perl	`5.18.1`
perl	perl	`5.18.2`
perl	perl	`5.18.3`
perl	perl	`5.18.4`
perl	perl	`5.19.0`
perl	perl	`5.19.1`
perl	perl	`5.19.2`
perl	perl	`5.19.3`
perl	perl	`5.19.4`
perl	perl	`5.19.5`
perl	perl	`5.19.6`
perl	perl	`5.19.7`
perl	perl	`5.19.8`
perl	perl	`5.19.9`
perl	perl	`5.19.10`
perl	perl	`5.19.11`
perl	perl	`5.20.0`
perl	perl	`5.20.1`
perl	perl	`5.20.2`
perl	perl	`5.20.3`
perl	perl	`5.21.0`
perl	perl	`5.21.1`
perl	perl	`5.21.2`
perl	perl	`5.21.3`
perl	perl	`5.21.4`
perl	perl	`5.21.5`
perl	perl	`5.21.6`
perl	perl	`5.21.7`
perl	perl	`5.21.8`
perl	perl	`5.21.9`
perl	perl	`5.21.10`
perl	perl	`5.21.11`
perl	perl	`5.22.0`
perl	perl	`5.22.1`
perl	perl	`5.22.2`
perl	perl	`5.22.3`
perl	perl	`5.24.0`
perl	perl	`5.24.1`
apache	spamassassin	`{"endExcluding":"3.4.2"}`	`3.4.2`

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.