CVE-2016-10374 Information

Description

perltidy through 20160302 as used by perlcritic check-all-the-things and other software relies on the current working directory for certain output files and does not have a symlink-attack protection mechanism which allows local users to overwrite arbitrary files by creating a symlink as demonstrated by creating a perltidy.ERR symlink that the victim cannot delete.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Reference

https://bugs.debian.org/862667

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

5.5