Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could trigger the overflow. The perldoc for Storable says: Do not accept Storable documents from untrusted sources! There is no way to configure Storable so that it can be used safely to process untrusted data. With the default setting of $Storable::flags = 6, creating or destroying random objects, even renamed objects can be controlled by an attacker. See CVE-2015-1592 and its metasploit module.
| Vendor | Product | Versions |
|---|---|---|
| nwclark | storable | 0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| red hat | enterprise linux | cert_advisory | 90% |
Updated description to include security warnings from the Storable perldoc and a reference to CVE-2015-1592, and added the 'serialization' tag.
Marked exploitAvailable and activelyExploited as true, and updated patchAvailable to null.
Updated severity to CRITICAL, affected versions to 3.04, and corrected exploit availability to false.
Initial creation
