From 008a14f7e8599b1fffe000b28de9ad8247f83c28 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Sat, 24 Aug 2024 00:33:52 -0400 Subject: [PATCH] Move to the new v2 format of the reports: * affected_versions, fixed_versions, and cves keys are now arrays * the format of the output for cpan_audit is slightly different to show multiple affected ranges. * the util/generate is lifted from briandfoy/cpan-security-advisory, which handles the new format. This is a baby step toward breaking out CPAN::Audit::DB into its own distribution. --- lib/CPAN/Audit.pm | 2 +- lib/CPAN/Audit/DB.pm | 3174 +++++++++++++++++++++++++++----------- lib/CPAN/Audit/DB.pm.gpg | 26 +- 3 files changed, 2322 insertions(+), 880 deletions(-) diff --git a/lib/CPAN/Audit.pm b/lib/CPAN/Audit.pm index 0e65ab8..f6ba4f0 100644 --- a/lib/CPAN/Audit.pm +++ b/lib/CPAN/Audit.pm @@ -14,7 +14,7 @@ use CPAN::Audit::Version; use CPAN::Audit::Query; use CPAN::Audit::DB; -our $VERSION = '20240824.001'; +our $VERSION = '20240824.003'; sub new { my( $class, %params ) = @_; diff --git a/lib/CPAN/Audit/DB.pm b/lib/CPAN/Audit/DB.pm index 8662405..e0c993a 100644 --- a/lib/CPAN/Audit/DB.pm +++ b/lib/CPAN/Audit/DB.pm @@ -1,12 +1,35 @@ -# created by util/generate at Fri Aug 23 11:58:01 2024 -# cpan-security-advisory +7269468a4aeb9736a5aa0b183d428b243e682572 +# created by util/generate at Sat Aug 24 00:29:27 2024 +# cpan-security-advisory a64317f9ff7e0fd1497e936a8bd8f9057ddb1ac7 # + +=encoding utf8 + +=head1 NAME + +CPAN::Audit::DB - the CPAN Security Advisory data as a Perl data structure, mostly for CPAN::Audit + +=head1 SYNOPSIS + +=head1 DESCRIPTION + +=cut + package CPAN::Audit::DB; use strict; use warnings; -our $VERSION = '20240823.001'; +our $VERSION = '20240824.003'; + +=over 4 + +=item * db + +Returns the hashref of all the CPANSA reports + +=back + +=cut sub db { { @@ -14,7 +37,9 @@ sub db { 'ActivePerl' => { 'advisories' => [ { - 'affected_versions' => '=5.16.1.1601', + 'affected_versions' => [ + '=5.16.1.1601' + ], 'cves' => [ 'CVE-2012-5377' ], @@ -22,7 +47,7 @@ sub db { 'description' => 'Untrusted search path vulnerability in the installation functionality in ActivePerl 5.16.1.1601, when installed in the top-level C:\\ directory, allows local users to gain privileges via a Trojan horse DLL in the C:\\Perl\\Site\\bin directory, which is added to the PATH system environment variable, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. ', 'distribution' => 'ActivePerl', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-ActivePerl-2012-5377', 'references' => [ 'https://www.htbridge.com/advisory/HTB23108', @@ -32,7 +57,9 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '=5.8.8.817', + 'affected_versions' => [ + '=5.8.8.817' + ], 'cves' => [ 'CVE-2006-2856' ], @@ -40,7 +67,7 @@ sub db { 'description' => 'ActiveState ActivePerl 5.8.8.817 for Windows configures the site/lib directory with "Users" group permissions for changing files, which allows local users to gain privileges by creating a malicious sitecustomize.pl file in that directory. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. ', 'distribution' => 'ActivePerl', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-ActivePerl-2006-2856', 'references' => [ 'http://secunia.com/advisories/20328', @@ -53,7 +80,9 @@ sub db { 'severity' => undef }, { - 'affected_versions' => undef, + 'affected_versions' => [ + '<=5.8.1' + ], 'cves' => [ 'CVE-2004-2286' ], @@ -61,7 +90,7 @@ sub db { 'description' => 'Integer overflow in the duplication operator in ActivePerl allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large multiplier, which may trigger a buffer overflow. ', 'distribution' => 'ActivePerl', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-ActivePerl-2004-2286', 'references' => [ 'http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0878.html', @@ -72,7 +101,9 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<5.10', + 'affected_versions' => [ + '<5.10' + ], 'cves' => [ 'CVE-2004-2022' ], @@ -80,7 +111,7 @@ sub db { 'description' => 'ActivePerl 5.8.x and others, and Larry Wall\'s Perl 5.6.1 and others, when running on Windows systems, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the system command, which leads to a stack-based buffer overflow. NOTE: it is unclear whether this bug is in Perl or the OS API that is used by Perl. ', 'distribution' => 'ActivePerl', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-ActivePerl-2004-2022', 'references' => [ 'http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt', @@ -97,7 +128,7 @@ sub db { 'severity' => undef }, { - 'affected_versions' => undef, + 'affected_versions' => [], 'cves' => [ 'CVE-2004-0377' ], @@ -105,7 +136,7 @@ sub db { 'description' => 'Buffer overflow in the win32_stat function for (1) ActiveState\'s ActivePerl and (2) Larry Wall\'s Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character. ', 'distribution' => 'ActivePerl', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-ActivePerl-2004-0377', 'references' => [ 'http://www.kb.cert.org/vuls/id/722414', @@ -119,7 +150,9 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<=5.6.1.629', + 'affected_versions' => [ + '<=5.6.1.629' + ], 'cves' => [ 'CVE-2001-0815' ], @@ -127,7 +160,7 @@ sub db { 'description' => 'Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows remote attackers to execute arbitrary code via an HTTP request for a long filename that ends in a .pl extension. ', 'distribution' => 'ActivePerl', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-ActivePerl-2001-0815', 'references' => [ 'http://bugs.activestate.com/show_bug.cgi?id=18062', @@ -144,7 +177,9 @@ sub db { 'Alien-PCRE2' => { 'advisories' => [ { - 'affected_versions' => '<0.016000', + 'affected_versions' => [ + '<0.016000' + ], 'comment' => 'This Alien module fetches libpcre2 sources from the network. It tries to get the latest unless you set environment variables to get a different version. ', 'cves' => [ @@ -153,7 +188,9 @@ sub db { 'description' => 'An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \\X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. ', 'distribution' => 'Alien-PCRE2', - 'fixed_versions' => '>=0.016000', + 'fixed_versions' => [ + '>=0.016000' + ], 'id' => 'CPANSA-Alien-PCRE2-2019-20454', 'references' => [ 'https://bugs.php.net/bug.php?id=78338', @@ -242,12 +279,16 @@ sub db { 'Apache-ASP' => { 'advisories' => [ { - 'affected_versions' => '<1.95', + 'affected_versions' => [ + '<1.95' + ], 'cves' => [], 'description' => 'A bug would allow a malicious user possible writing of files in the same directory as the source.asp script. ', 'distribution' => 'Apache-ASP', - 'fixed_versions' => '>=1.95', + 'fixed_versions' => [ + '>=1.95' + ], 'id' => 'CPANSA-Apache-ASP-2000-01', 'references' => [ 'https://metacpan.org/release/CHAMAS/Apache-ASP-2.63/source/README' @@ -459,14 +500,18 @@ sub db { 'Apache-AuthCAS' => { 'advisories' => [ { - 'affected_versions' => '<0.5', + 'affected_versions' => [ + '<0.5' + ], 'cves' => [ 'CVE-2007-6342' ], 'description' => 'A tainted cookie could be sent by a malicious user and it would be used in an SQL query without protection against SQL injection. ', 'distribution' => 'Apache-AuthCAS', - 'fixed_versions' => '>=0.5', + 'fixed_versions' => [ + '>=0.5' + ], 'id' => 'CPANSA-Apache-AuthCAS-2007-01', 'references' => [ 'https://metacpan.org/changes/distribution/Apache-AuthCAS', @@ -503,14 +548,16 @@ sub db { 'Apache-AuthenHook' => { 'advisories' => [ { - 'affected_versions' => '>=2.00_04', + 'affected_versions' => [ + '>=2.00_04' + ], 'cves' => [ 'CVE-2010-3845' ], 'description' => 'libapache-authenhook-perl 2.00-04 stores usernames and passwords in plaintext in the vhost error log. ', 'distribution' => 'Apache-AuthenHook', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Apache-AuthenHook-2010-3845', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=62040', @@ -540,12 +587,16 @@ sub db { 'Apache-MP3' => { 'advisories' => [ { - 'affected_versions' => '<2.15', + 'affected_versions' => [ + '<2.15' + ], 'cves' => [], 'description' => 'A security bug allowed people to bypass the AllowDownload setting. ', 'distribution' => 'Apache-MP3', - 'fixed_versions' => '>=2.15', + 'fixed_versions' => [ + '>=2.15' + ], 'id' => 'CPANSA-Apache-MP3-2001-01', 'references' => [ 'https://metacpan.org/dist/Apache-MP3/changes' @@ -661,14 +712,18 @@ sub db { 'Apache-Session-Browseable' => { 'advisories' => [ { - 'affected_versions' => '<1.3.6', + 'affected_versions' => [ + '<1.3.6' + ], 'cves' => [ 'CVE-2020-36659' ], 'description' => 'In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix. ', 'distribution' => 'Apache-Session-Browseable', - 'fixed_versions' => '>=1.3.6', + 'fixed_versions' => [ + '>=1.3.6' + ], 'id' => 'CPANSA-Apache-Session-Browseable-2020-36659', 'references' => [ 'https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f', @@ -833,14 +888,18 @@ sub db { 'Apache-Session-LDAP' => { 'advisories' => [ { - 'affected_versions' => '<0.5', + 'affected_versions' => [ + '<0.5' + ], 'cves' => [ 'CVE-2020-36658' ], 'description' => 'In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix. ', 'distribution' => 'Apache-Session-LDAP', - 'fixed_versions' => '>=0.5', + 'fixed_versions' => [ + '>=0.5' + ], 'id' => 'CPANSA-Apache-Session-LDAP-2020-36658', 'references' => [ 'https://github.com/LemonLDAPNG/Apache-Session-LDAP/commit/490722b71eed1ed1ab33d58c78578f23e043561f', @@ -885,12 +944,16 @@ sub db { 'Apache-SessionX' => { 'advisories' => [ { - 'affected_versions' => '<2.01', + 'affected_versions' => [ + '<2.01' + ], 'cves' => [], 'description' => 'Problem in session_id validation, which allows creation of session with invalid ids. ', 'distribution' => 'Apache-SessionX', - 'fixed_versions' => '>=2.01', + 'fixed_versions' => [ + '>=2.01' + ], 'id' => 'CPANSA-Apache-SessionX-2005-01', 'references' => [ 'https://metacpan.org/changes/distribution/Apache-SessionX' @@ -917,12 +980,16 @@ sub db { 'Apache-Wyrd' => { 'advisories' => [ { - 'affected_versions' => '<0.97', + 'affected_versions' => [ + '<0.97' + ], 'cves' => [], 'description' => 'User-submitted data cab be executed if it is displayed on a page, if the data contains a string that can be interpreted as a Wyrd. ', 'distribution' => 'Apache-Wyrd', - 'fixed_versions' => '>=0.97', + 'fixed_versions' => [ + '>=0.97' + ], 'id' => 'CPANSA-Apache-Wyrd-2008-01', 'references' => [ 'https://metacpan.org/dist/Apache-Wyrd/changes' @@ -1006,14 +1073,18 @@ sub db { 'App-Context' => { 'advisories' => [ { - 'affected_versions' => '>=0.01,<=0.968', + 'affected_versions' => [ + '>=0.01,<=0.968' + ], 'cves' => [ 'CVE-2012-6141' ], 'description' => 'The App::Context module 0.01 through 0.968 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request to (1) App::Session::Cookie or (2) App::Session::HTMLHidden, which is not properly handled when it is deserialized. ', 'distribution' => 'App-Context', - 'fixed_versions' => '>0.968', + 'fixed_versions' => [ + '>0.968' + ], 'id' => 'CPANSA-App-Context-2012-6141', 'references' => [ 'http://seclists.org/oss-sec/2013/q2/318', @@ -1082,14 +1153,18 @@ sub db { 'App-Github-Email' => { 'advisories' => [ { - 'affected_versions' => '<0.3.3', + 'affected_versions' => [ + '<0.3.3' + ], 'cves' => [ 'CVE-2015-7686' ], 'description' => 'Insecure dependency on Email::Address. ', 'distribution' => 'App-Github-Email', - 'fixed_versions' => '>=0.3.3', + 'fixed_versions' => [ + '>=0.3.3' + ], 'id' => 'CPANSA-App-Github-Email-2018-01', 'references' => [ 'https://metacpan.org/changes/distribution/App-Github-Email', @@ -1161,14 +1236,18 @@ sub db { 'App-cpanminus' => { 'advisories' => [ { - 'affected_versions' => '<=1.7044', + 'affected_versions' => [ + '<=1.7044' + ], 'cves' => [ 'CVE-2020-16154' ], 'description' => 'The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass. ', 'distribution' => 'App-cpanminus', - 'fixed_versions' => '>=1.7045', + 'fixed_versions' => [ + '>=1.7045' + ], 'id' => 'CPANSA-App-cpanminus-2020-01', 'references' => [ 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/', @@ -2261,14 +2340,18 @@ sub db { 'App-japerl' => { 'advisories' => [ { - 'affected_versions' => '<0.09', + 'affected_versions' => [ + '<0.09' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => '(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'App-japerl', - 'fixed_versions' => '>=0.09', + 'fixed_versions' => [ + '>=0.09' + ], 'id' => 'CPANSA-App-japerl-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -2322,14 +2405,18 @@ sub db { 'App-perlall' => { 'advisories' => [ { - 'affected_versions' => '<0.33', + 'affected_versions' => [ + '<0.33' + ], 'cves' => [ 'CVE-2013-1667' ], 'description' => 'The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key. ', 'distribution' => 'App-perlall', - 'fixed_versions' => '>=0.33', + 'fixed_versions' => [ + '>=0.33' + ], 'id' => 'CPANSA-App-perlall-2013-1667', 'references' => [ 'http://www.securityfocus.com/bid/58311', @@ -2566,14 +2653,16 @@ sub db { 'Archive-Tar' => { 'advisories' => [ { - 'affected_versions' => '<2.28', + 'affected_versions' => [ + '<2.28' + ], 'cves' => [ 'CVE-2018-12015' ], 'description' => 'In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. ', 'distribution' => 'Archive-Tar', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Archive-Tar-2018-01', 'references' => [ 'https://security-tracker.debian.org/tracker/CVE-2018-12015', @@ -2583,14 +2672,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<=1.36', + 'affected_versions' => [ + '<=1.36' + ], 'cves' => [ 'CVE-2007-4829' ], 'description' => 'Directory traversal vulnerability in the Archive::Tar Perl module 1.36 and earlier allows user-assisted remote attackers to overwrite arbitrary files via a TAR archive that contains a file whose name is an absolute path or has ".." sequences. ', 'distribution' => 'Archive-Tar', - 'fixed_versions' => '>1.36', + 'fixed_versions' => [ + '>1.36' + ], 'id' => 'CPANSA-Archive-Tar-2007-4829', 'references' => [ 'http://rt.cpan.org/Public/Bug/Display.html?id=29517', @@ -2613,14 +2706,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<2.10', + 'affected_versions' => [ + '<2.10' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => '\'(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.\' ', 'distribution' => 'Archive-Tar', - 'fixed_versions' => '>=2.10', + 'fixed_versions' => [ + '>=2.10' + ], 'id' => 'CPANSA-Archive-Tar-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -3046,14 +3143,16 @@ sub db { 'Archive-Zip' => { 'advisories' => [ { - 'affected_versions' => '<1.61', + 'affected_versions' => [ + '<1.61' + ], 'cves' => [ 'CVE-2018-10860' ], 'description' => 'perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to provide a specially crafted archive for processing could use this flaw to write or overwrite arbitrary files in the context of the perl interpreter. ', 'distribution' => 'Archive-Zip', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Archive-Zip-2018-01', 'references' => [ 'https://security-tracker.debian.org/tracker/CVE-2018-10860', @@ -3063,14 +3162,16 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.14', + 'affected_versions' => [ + '<1.14' + ], 'cves' => [ 'CVE-2004-1096' ], 'description' => 'Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. ', 'distribution' => 'Archive-Zip', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Archive-Zip-2004-1096', 'references' => [ 'http://www.securityfocus.com/bid/11448', @@ -3420,14 +3521,16 @@ sub db { 'Batch-Batchrun' => { 'advisories' => [ { - 'affected_versions' => '>=1.03', + 'affected_versions' => [ + '>=1.03' + ], 'cves' => [ 'CVE-2011-4117' ], 'description' => 'The Batch::Batchrun module 1.03 for Perl does not properly handle temporary files. ', 'distribution' => 'Batch-Batchrun', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Batch-Batchrun-2011-4117', 'references' => [ 'http://www.openwall.com/lists/oss-security/2011/11/04/2', @@ -3449,12 +3552,16 @@ sub db { 'CBOR-XS' => { 'advisories' => [ { - 'affected_versions' => '<1.7', + 'affected_versions' => [ + '<1.7' + ], 'cves' => [], 'description' => 'An out-of bound sharedref or stringref index could cause an out of bounds access - might be exploitable. A decoding error during indefinite array or hash decoding could cause an endless loop. ', 'distribution' => 'CBOR-XS', - 'fixed_versions' => '>=1.7', + 'fixed_versions' => [ + '>=1.7' + ], 'id' => 'CPANSA-CBOR-XS-2017-01', 'references' => [ 'https://metacpan.org/dist/CBOR-XS/changes' @@ -3594,14 +3701,18 @@ sub db { 'CGI' => { 'advisories' => [ { - 'affected_versions' => '<3.63', + 'affected_versions' => [ + '<3.63' + ], 'cves' => [ 'CVE-2012-5526' ], 'description' => 'CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. ', 'distribution' => 'CGI', - 'fixed_versions' => '>=3.63', + 'fixed_versions' => [ + '>=3.63' + ], 'id' => 'CPANSA-CGI-2012-5526', 'references' => [ 'http://www.securityfocus.com/bid/56562', @@ -3623,14 +3734,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<3.56', + 'affected_versions' => [ + '<3.56' + ], 'cves' => [ 'CVE-2011-2766' ], 'description' => 'Usage of deprecated FCGI.pm API. ', 'distribution' => 'CGI', - 'fixed_versions' => '>=3.56', + 'fixed_versions' => [ + '>=3.56' + ], 'id' => 'CPANSA-CGI-2011-2766', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=68380', @@ -3639,34 +3754,46 @@ sub db { 'reported' => '2011-11-08' }, { - 'affected_versions' => '<3.50', + 'affected_versions' => [ + '<3.50' + ], 'cves' => [], 'description' => 'Non-random MIME boundary. ', 'distribution' => 'CGI', - 'fixed_versions' => '>=3.50', + 'fixed_versions' => [ + '>=3.50' + ], 'id' => 'CPANSA-CGI-2010-02', 'reported' => '2010-11-08' }, { - 'affected_versions' => '<3.49', + 'affected_versions' => [ + '<3.49' + ], 'cves' => [], 'description' => 'Newlines in headers. ', 'distribution' => 'CGI', - 'fixed_versions' => '>=3.49', + 'fixed_versions' => [ + '>=3.49' + ], 'id' => 'CPANSA-CGI-2010-01', 'reported' => '2010-02-05' }, { - 'affected_versions' => '<3.50', + 'affected_versions' => [ + '<3.50' + ], 'cves' => [ 'CVE-2010-4411' ], 'description' => 'Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761. ', 'distribution' => 'CGI', - 'fixed_versions' => '>=3.50', + 'fixed_versions' => [ + '>=3.50' + ], 'id' => 'CPANSA-CGI-2010-4411', 'references' => [ 'http://openwall.com/lists/oss-security/2010/12/01/3', @@ -3689,14 +3816,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<3.50', + 'affected_versions' => [ + '<3.50' + ], 'cves' => [ 'CVE-2010-2761' ], 'description' => 'The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172. ', 'distribution' => 'CGI', - 'fixed_versions' => '>=3.50', + 'fixed_versions' => [ + '>=3.50' + ], 'id' => 'CPANSA-CGI-2010-2761', 'references' => [ 'https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380', @@ -4730,14 +4861,16 @@ sub db { 'CGI-Application' => { 'advisories' => [ { - 'affected_versions' => '<4.50_51', + 'affected_versions' => [ + '<4.50_51' + ], 'cves' => [ 'CVE-2013-7329' ], 'description' => 'The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function. ', 'distribution' => 'CGI-Application', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-CGI-Application-2013-7329', 'references' => [ 'https://github.com/markstos/CGI--Application/pull/15', @@ -4957,12 +5090,16 @@ sub db { 'CGI-Application-Dispatch' => { 'advisories' => [ { - 'affected_versions' => '<1.02', + 'affected_versions' => [ + '<1.02' + ], 'cves' => [], 'description' => 'Untainted module names. ', 'distribution' => 'CGI-Application-Dispatch', - 'fixed_versions' => '>=1.02', + 'fixed_versions' => [ + '>=1.02' + ], 'id' => 'CPANSA-CGI-Application-Dispatch-2005-001', 'references' => [ 'https://metacpan.org/changes/distribution/CGI-Application-Dispatch' @@ -5145,12 +5282,16 @@ sub db { 'CGI-Application-Plugin-AutoRunmode' => { 'advisories' => [ { - 'affected_versions' => '<0.04', + 'affected_versions' => [ + '<0.04' + ], 'cves' => [], 'description' => 'Non-word characters are allowed in runmode name. ', 'distribution' => 'CGI-Application-Plugin-AutoRunmode', - 'fixed_versions' => '>=0.04', + 'fixed_versions' => [ + '>=0.04' + ], 'id' => 'CPANSA-CGI-Application-Plugin-AutoRunmode-2005-01', 'references' => [ 'https://metacpan.org/changes/distribution/CGI-Application-Plugin-AutoRunmode' @@ -5225,12 +5366,16 @@ sub db { 'CGI-Application-Plugin-RunmodeDeclare' => { 'advisories' => [ { - 'affected_versions' => '<0.03', + 'affected_versions' => [ + '<0.03' + ], 'cves' => [], 'description' => 'Wrong order of arguments. ', 'distribution' => 'CGI-Application-Plugin-RunmodeDeclare', - 'fixed_versions' => '>=0.03', + 'fixed_versions' => [ + '>=0.03' + ], 'id' => 'CPANSA-CGI-Application-Plugin-RunmodeDeclare-2008-01', 'references' => [ 'https://metacpan.org/changes/distribution/CGI-Application-Plugin-RunmodeDeclare' @@ -5297,12 +5442,16 @@ sub db { 'CGI-Auth-Basic' => { 'advisories' => [ { - 'affected_versions' => '<1.11', + 'affected_versions' => [ + '<1.11' + ], 'cves' => [], 'description' => 'TBD ', 'distribution' => 'CGI-Auth-Basic', - 'fixed_versions' => '>=1.11', + 'fixed_versions' => [ + '>=1.11' + ], 'id' => 'CPANSA-CGI-Auth-Basic-2007-01', 'references' => [ 'https://metacpan.org/changes/distribution/CGI-Auth-Basic' @@ -5361,14 +5510,16 @@ sub db { 'CGI-Session' => { 'advisories' => [ { - 'affected_versions' => '<4.10', + 'affected_versions' => [ + '<4.10' + ], 'cves' => [ 'CVE-2006-1279' ], 'description' => 'CGI::Session 4.03-1 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by (1) Driver::File, (2) Driver::db_file, and possibly (3) Driver::sqlite. ', 'distribution' => 'CGI-Session', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-CGI-Session-2006-1279', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555', @@ -5382,12 +5533,16 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<4.12', + 'affected_versions' => [ + '<4.12' + ], 'cves' => [], 'description' => 'possible SQL injection attack ', 'distribution' => 'CGI-Session', - 'fixed_versions' => '>=4.12', + 'fixed_versions' => [ + '>=4.12' + ], 'id' => 'CPANSA-CGI-Session-2006-01', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=18578' @@ -5707,14 +5862,18 @@ sub db { 'CGI-Simple' => { 'advisories' => [ { - 'affected_versions' => '<1.113', + 'affected_versions' => [ + '<1.113' + ], 'cves' => [ 'CVE-2010-4410' ], 'description' => 'Newlines in headers, which could lead to header injection attacks. ', 'distribution' => 'CGI-Simple', - 'fixed_versions' => '>=1.113', + 'fixed_versions' => [ + '>=1.113' + ], 'id' => 'CPANSA-CGI-Simple-2010-02', 'references' => [ 'https://metacpan.org/changes/distribution/CGI-Simple' @@ -5722,12 +5881,16 @@ sub db { 'reported' => '2010-12-27' }, { - 'affected_versions' => '<1.113', + 'affected_versions' => [ + '<1.113' + ], 'cves' => [], 'description' => 'Non-random multipart boundary. ', 'distribution' => 'CGI-Simple', - 'fixed_versions' => '>=1.113', + 'fixed_versions' => [ + '>=1.113' + ], 'id' => 'CPANSA-CGI-Simple-2010-01', 'references' => [ 'https://metacpan.org/changes/distribution/CGI-Simple' @@ -5735,14 +5898,16 @@ sub db { 'reported' => '2010-12-27' }, { - 'affected_versions' => '<=1.112', + 'affected_versions' => [ + '<=1.112' + ], 'cves' => [ 'CVE-2010-2761' ], 'description' => 'The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172. ', 'distribution' => 'CGI-Simple', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-CGI-Simple-2010-2761', 'references' => [ 'https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380', @@ -5948,12 +6113,16 @@ sub db { 'CGI-apacheSSI' => { 'advisories' => [ { - 'affected_versions' => '<0.95', + 'affected_versions' => [ + '<0.95' + ], 'cves' => [], 'description' => 'Security and parsing problems with "include" calls. ', 'distribution' => 'CGI-apacheSSI', - 'fixed_versions' => '>=0.95', + 'fixed_versions' => [ + '>=0.95' + ], 'id' => 'CPANSA-CGI-apacheSSI-2016-01', 'references' => [ 'https://metacpan.org/changes/distribution/CGI-apacheSSI' @@ -5984,14 +6153,18 @@ sub db { 'CPAN' => { 'advisories' => [ { - 'affected_versions' => '<2.35', + 'affected_versions' => [ + '<2.35' + ], 'cves' => [ 'CVE-2023-31484' ], 'description' => 'The verify_SSL flag is missing from HTTP::Tiny, and allows a network attacker to MITM the connection if it is used by the CPAN client ', 'distribution' => 'CPAN', - 'fixed_versions' => '>=2.35', + 'fixed_versions' => [ + '>=2.35' + ], 'id' => 'CPANSA-CPAN-2023-31484', 'previous_id' => [ 'CPANSA-CPAN-2023-01' @@ -6005,12 +6178,16 @@ sub db { 'reported' => '2023-02-28' }, { - 'affected_versions' => '<1.93', + 'affected_versions' => [ + '<1.93' + ], 'cves' => [], 'description' => 'Archive::Tar preserves permissions in the tarball; extracted file permissions will be set from users umask instead. ', 'distribution' => 'CPAN', - 'fixed_versions' => '>=1.93', + 'fixed_versions' => [ + '>=1.93' + ], 'id' => 'CPANSA-CPAN-2009-01', 'references' => [ 'https://github.com/andk/cpanpm/commit/079fa2e7ee77d626eab8bb06d0465c6a05f6c8b6', @@ -6019,13 +6196,17 @@ sub db { 'reported' => '2009-09-23' }, { - 'affected_versions' => '<2.28', + 'affected_versions' => [ + '<2.28' + ], 'cves' => [ 'CVE-2020-16156' ], 'description' => 'CPAN 2.28 allows Signature Verification Bypass.', 'distribution' => 'CPAN', - 'fixed_versions' => '>=2.29', + 'fixed_versions' => [ + '>=2.29' + ], 'id' => 'CPANSA-CPAN-2020-16156', 'references' => [ 'https://metacpan.org/pod/distribution/CPAN/scripts/cpan', @@ -7421,14 +7602,16 @@ sub db { 'CPAN-Checksums' => { 'advisories' => [ { - 'affected_versions' => '>=2.12', + 'affected_versions' => [ + '>=2.12' + ], 'cves' => [ 'CVE-2020-16155' ], 'description' => 'The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data. ', 'distribution' => 'CPAN-Checksums', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-CPAN-Checksums-2020-16155', 'references' => [ 'https://metacpan.org/pod/CPAN::Checksums', @@ -7577,14 +7760,16 @@ sub db { 'Capture-Tiny' => { 'advisories' => [ { - 'affected_versions' => '<0.24', + 'affected_versions' => [ + '<0.24' + ], 'cves' => [ 'CVE-2014-1875' ], 'description' => 'The Capture::Tiny module before 0.24 for Perl allows local users to write to arbitrary files via a symlink attack on a temporary file. ', 'distribution' => 'Capture-Tiny', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Capture-Tiny-2014-1875', 'references' => [ 'http://osvdb.org/102963', @@ -7800,12 +7985,16 @@ sub db { 'Catalyst-Action-REST' => { 'advisories' => [ { - 'affected_versions' => '<1.12', + 'affected_versions' => [ + '<1.12' + ], 'cves' => [], 'description' => 'YAML and YAML::HTML parsers are a potential security hole, as they may allow arbitrary Perl objects to be instantiated. ', 'distribution' => 'Catalyst-Action-REST', - 'fixed_versions' => '>=1.12', + 'fixed_versions' => [ + '>=1.12' + ], 'id' => 'CPANSA-Catalyst-Action-REST-2013-01', 'references' => [ 'https://metacpan.org/dist/Catalyst-Action-REST/changes' @@ -8101,12 +8290,16 @@ sub db { 'Catalyst-Authentication-Store-LDAP' => { 'advisories' => [ { - 'affected_versions' => '<1.013', + 'affected_versions' => [ + '<1.013' + ], 'cves' => [], 'description' => 'Incorrect password check binds to the unauthenticated user. ', 'distribution' => 'Catalyst-Authentication-Store-LDAP', - 'fixed_versions' => '>=1.013', + 'fixed_versions' => [ + '>=1.013' + ], 'id' => 'CPANSA-Catalyst-Authentication-Store-LDAP-2012-01', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=81908' @@ -8194,12 +8387,16 @@ sub db { 'Catalyst-Controller-Combine' => { 'advisories' => [ { - 'affected_versions' => '<0.12', + 'affected_versions' => [ + '<0.12' + ], 'cves' => [], 'description' => 'Allows to use url-encoded path-parts to crawl along the file system and read files outside the intended directory. ', 'distribution' => 'Catalyst-Controller-Combine', - 'fixed_versions' => '>=0.12', + 'fixed_versions' => [ + '>=0.12' + ], 'id' => 'CPANSA-Catalyst-Controller-Combine-2010-01', 'references' => [ 'https://metacpan.org/changes/distribution/Catalyst-Controller-Combine' @@ -8250,12 +8447,16 @@ sub db { 'Catalyst-Plugin-Static' => { 'advisories' => [ { - 'affected_versions' => '<0.10', + 'affected_versions' => [ + '<0.10' + ], 'cves' => [], 'description' => 'Serving files outside of $config->{root} directory. ', 'distribution' => 'Catalyst-Plugin-Static', - 'fixed_versions' => '>=0.10', + 'fixed_versions' => [ + '>=0.10' + ], 'id' => 'CPANSA-Catalyst-Plugin-Static-2005-01', 'reported' => '2005-11-14' } @@ -8315,14 +8516,18 @@ sub db { 'Catalyst-Plugin-Static-Simple' => { 'advisories' => [ { - 'affected_versions' => '<0.34', + 'affected_versions' => [ + '<0.34' + ], 'cves' => [ 'CVE-2017-16248' ], 'description' => 'The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a \'.\' character anywhere in the pathname, which differs from the intended policy of allowing access only when the filename itself has a \'.\' character. ', 'distribution' => 'Catalyst-Plugin-Static-Simple', - 'fixed_versions' => '>=0.34', + 'fixed_versions' => [ + '>=0.34' + ], 'id' => 'CPANSA-Catalyst-Plugin-Static-Simple-2017-01', 'references' => [ 'https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/', @@ -8486,12 +8691,16 @@ sub db { 'Catalyst-Runtime' => { 'advisories' => [ { - 'affected_versions' => '<5.90020', + 'affected_versions' => [ + '<5.90020' + ], 'cves' => [], 'description' => 'Passing a special host to the redirect page link makes it vulnerable to XSS attack. ', 'distribution' => 'Catalyst-Runtime', - 'fixed_versions' => '>=5.90020', + 'fixed_versions' => [ + '>=5.90020' + ], 'id' => 'CPANSA-Catalyst-Runtime-2013-01', 'references' => [ 'http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/Catalyst-Runtime.git;a=commitdiff;h=7af54927870a7c6f89323ac1876d49f92e7841f5' @@ -8499,12 +8708,16 @@ sub db { 'reported' => '2013-01-23' }, { - 'affected_versions' => '<5.58', + 'affected_versions' => [ + '<5.58' + ], 'cves' => [], 'description' => 'Path traversal in Static::Simple plugin. ', 'distribution' => 'Catalyst-Runtime', - 'fixed_versions' => '>=5.58', + 'fixed_versions' => [ + '>=5.58' + ], 'id' => 'CPANSA-Catalyst-Runtime-2005-01', 'reported' => '2005-11-24' } @@ -9268,14 +9481,16 @@ sub db { 'Clipboard' => { 'advisories' => [ { - 'affected_versions' => '<0.16', + 'affected_versions' => [ + '<0.16' + ], 'cves' => [ 'CVE-2014-5509' ], 'description' => 'clipedit in the Clipboard module for Perl allows local users to delete arbitrary files via a symlink attack on /tmp/clipedit$$. ', 'distribution' => 'Clipboard', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Clipboard-2014-5509', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=98435', @@ -9410,12 +9625,16 @@ sub db { 'Cmd-Dwarf' => { 'advisories' => [ { - 'affected_versions' => '<1.20', + 'affected_versions' => [ + '<1.20' + ], 'cves' => [], 'description' => 'JSON highjacking possibility. ', 'distribution' => 'Cmd-Dwarf', - 'fixed_versions' => '>=1.20', + 'fixed_versions' => [ + '>=1.20' + ], 'id' => 'CPANSA-Cmd-Dwarf-2014-01', 'references' => [ 'https://github.com/seagirl/dwarf/commit/14cf7a1d55db635a07f4838e16f3d9a28e63f529', @@ -9487,12 +9706,16 @@ sub db { 'Compress-LZ4' => { 'advisories' => [ { - 'affected_versions' => '<0.20', + 'affected_versions' => [ + '<0.20' + ], 'cves' => [], 'description' => 'Outdated LZ4 source code with security issue on 32bit systems. ', 'distribution' => 'Compress-LZ4', - 'fixed_versions' => '>=0.20', + 'fixed_versions' => [ + '>=0.20' + ], 'id' => 'CPANSA-Compress-LZ4-2014-01', 'references' => [ 'https://metacpan.org/changes/distribution/Compress-LZ4', @@ -9608,14 +9831,18 @@ sub db { 'Compress-Raw-Bzip2' => { 'advisories' => [ { - 'affected_versions' => '<2.031', + 'affected_versions' => [ + '<2.031' + ], 'cves' => [ 'CVE-2010-0405' ], 'description' => 'Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file. ', 'distribution' => 'Compress-Raw-Bzip2', - 'fixed_versions' => '>=2.031', + 'fixed_versions' => [ + '>=2.031' + ], 'id' => 'CPANSA-Compress-Raw-Bzip2-2010-0405', 'references' => [ 'https://metacpan.org/changes/distribution/Compress-Raw-Bzip2' @@ -9623,14 +9850,18 @@ sub db { 'reported' => '2010-01-27' }, { - 'affected_versions' => '<2.018', + 'affected_versions' => [ + '<2.018' + ], 'cves' => [ 'CVE-2009-1884' ], 'description' => 'Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows context-dependent attackers to cause a denial of service (application hang or crash) via a crafted bzip2 compressed stream that triggers a buffer overflow, a related issue to CVE-2009-1391. ', 'distribution' => 'Compress-Raw-Bzip2', - 'fixed_versions' => '>=2.018', + 'fixed_versions' => [ + '>=2.018' + ], 'id' => 'CPANSA-Compress-Raw-Bzip2-2009-1884', 'references' => [ 'http://security.gentoo.org/glsa/glsa-200908-07.xml', @@ -10018,14 +10249,16 @@ sub db { 'Compress-Raw-Zlib' => { 'advisories' => [ { - 'affected_versions' => '<2.017', + 'affected_versions' => [ + '<2.017' + ], 'cves' => [ 'CVE-2009-1391' ], 'description' => 'Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009. ', 'distribution' => 'Compress-Raw-Zlib', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Compress-Raw-Zlib-2009-1391', 'references' => [ 'http://article.gmane.org/gmane.mail.virus.amavis.user/33635', @@ -10470,14 +10703,16 @@ sub db { 'Config-IniFiles' => { 'advisories' => [ { - 'affected_versions' => '<2.71', + 'affected_versions' => [ + '<2.71' + ], 'cves' => [ 'CVE-2012-2451' ], 'description' => 'The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. NOTE: some of these details are obtained from third party information. NOTE: it has been reported that this might only be exploitable by writing in the same directory as the .ini file. If this is the case, then this issue might not cross privilege boundaries. ', 'distribution' => 'Config-IniFiles', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Config-IniFiles-2012-2451', 'references' => [ 'http://www.openwall.com/lists/oss-security/2012/05/02/6', @@ -10859,14 +11094,18 @@ sub db { 'Config-Model' => { 'advisories' => [ { - 'affected_versions' => '<2.102', + 'affected_versions' => [ + '<2.102' + ], 'cves' => [ 'CVE-2017-0373' ], 'description' => 'The gen_class_pod implementation in lib/Config/Model/Utils/GenClassPod.pm in Config-Model (aka libconfig-model-perl) before 2.102 has a dangerous "use lib" line, which allows remote attackers to have an unspecified impact via a crafted Debian package file. ', 'distribution' => 'Config-Model', - 'fixed_versions' => '>=2.102', + 'fixed_versions' => [ + '>=2.102' + ], 'id' => 'CPANSA-Config-Model-2017-03', 'references' => [ 'https://metacpan.org/changes/distribution/Config-Model', @@ -10875,14 +11114,18 @@ sub db { 'reported' => '2017-05-10' }, { - 'affected_versions' => '<2.102', + 'affected_versions' => [ + '<2.102' + ], 'cves' => [ 'CVE-2017-0374' ], 'description' => 'Loads models from a local directory, making it possible to substitute the model. ', 'distribution' => 'Config-Model', - 'fixed_versions' => '>=2.102', + 'fixed_versions' => [ + '>=2.102' + ], 'id' => 'CPANSA-Config-Model-2017-02', 'references' => [ 'https://metacpan.org/changes/distribution/Config-Model', @@ -10891,12 +11134,16 @@ sub db { 'reported' => '2017-05-10' }, { - 'affected_versions' => '<2.102', + 'affected_versions' => [ + '<2.102' + ], 'cves' => [], 'description' => 'YAML or YAML::XS can be loaded automatically making it possible to run arbitrary code loading a specially crafted YAML file. ', 'distribution' => 'Config-Model', - 'fixed_versions' => '>=2.102', + 'fixed_versions' => [ + '>=2.102' + ], 'id' => 'CPANSA-Config-Model-2017-01', 'references' => [ 'https://metacpan.org/changes/distribution/Config-Model', @@ -11996,14 +12243,16 @@ sub db { 'Convert-ASN1' => { 'advisories' => [ { - 'affected_versions' => '<0.27', + 'affected_versions' => [ + '<0.27' + ], 'cves' => [ 'CVE-2013-7488' ], 'description' => 'perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input. ', 'distribution' => 'Convert-ASN1', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Convert-ASN1-2013-7488', 'references' => [ 'https://github.com/gbarr/perl-Convert-ASN1/issues/14', @@ -12145,14 +12394,16 @@ sub db { 'Convert-UUlib' => { 'advisories' => [ { - 'affected_versions' => '<1.051', + 'affected_versions' => [ + '<1.051' + ], 'cves' => [ 'CVE-2005-1349' ], 'description' => 'Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows remote attackers to execute arbitrary code via a malformed parameter to a read operation. ', 'distribution' => 'Convert-UUlib', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Convert-UUlib-2005-1349', 'references' => [ 'http://www.gentoo.org/security/en/glsa/glsa-200504-26.xml', @@ -12328,12 +12579,16 @@ sub db { 'Cpanel-JSON-XS' => { 'advisories' => [ { - 'affected_versions' => '<3.0225', + 'affected_versions' => [ + '<3.0225' + ], 'cves' => [], 'description' => 'Overflow during processing of ill-formed UTF-8 strings. ', 'distribution' => 'Cpanel-JSON-XS', - 'fixed_versions' => '>=3.0225', + 'fixed_versions' => [ + '>=3.0225' + ], 'id' => 'CPANSA-Cpanel-JSON-XS-2016-02', 'references' => [ 'https://metacpan.org/changes/distribution/Cpanel-JSON-XS', @@ -12343,28 +12598,35 @@ sub db { 'reported' => '2016-11-23' }, { - 'affected_versions' => '<3.0218', + 'affected_versions' => [ + '<3.0218' + ], 'cves' => [], 'description' => 'Possible overflows in av and hv length types. ', 'distribution' => 'Cpanel-JSON-XS', - 'fixed_versions' => '>=3.0218', + 'fixed_versions' => [ + '>=3.0218' + ], 'id' => 'CPANSA-Cpanel-JSON-XS-2016-01', 'references' => [ 'https://metacpan.org/changes/distribution/Cpanel-JSON-XS', 'https://github.com/rurban/Cpanel-JSON-XS/commit/6554531b39fac236321d8601d35eaaa75ae45e20' - ], - 'reported' => '2016-10-06' + ] }, { - 'affected_versions' => '<4.033', + 'affected_versions' => [ + '<4.033' + ], 'cves' => [ 'CVE-2022-48623' ], 'description' => 'Wrong error messages/sometimes crashes or endless loops with invalid JSON in relaxed mode ', 'distribution' => 'Cpanel-JSON-XS', - 'fixed_versions' => '>=4.033', + 'fixed_versions' => [ + '>=4.033' + ], 'id' => 'CPANSA-Cpanel-JSON-XS-2023-01', 'references' => [ 'https://metacpan.org/changes/distribution/Cpanel-JSON-XS', @@ -12856,14 +13118,18 @@ sub db { 'Crypt-CBC' => { 'advisories' => [ { - 'affected_versions' => '<2.17', + 'affected_versions' => [ + '<2.17' + ], 'cves' => [ 'CVE-2006-0898' ], 'description' => 'Crypt::CBC Perl module 2.16 and earlier, when running in RandomIV mode, uses an initialization vector (IV) of 8 bytes, which results in weaker encryption when used with a cipher that requires a larger block size than 8 bytes, such as Rijndael. ', 'distribution' => 'Crypt-CBC', - 'fixed_versions' => '>=2.17', + 'fixed_versions' => [ + '>=2.17' + ], 'id' => 'CPANSA-Crypt-CBC-2006-0898', 'references' => [ 'https://metacpan.org/changes/distribution/Crypt-CBC', @@ -13045,14 +13311,16 @@ sub db { 'Crypt-DSA' => { 'advisories' => [ { - 'affected_versions' => '<=1.17', + 'affected_versions' => [ + '<=1.17' + ], 'cves' => [ 'CVE-2011-3599' ], 'description' => 'The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack. ', 'distribution' => 'Crypt-DSA', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Crypt-DSA-2011-3599', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=71421', @@ -13114,14 +13382,18 @@ sub db { 'Crypt-JWT' => { 'advisories' => [ { - 'affected_versions' => '<0.023', + 'affected_versions' => [ + '<0.023' + ], 'cves' => [ 'CVE-2019-1010263' ], 'description' => 'Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c. ', 'distribution' => 'Crypt-JWT', - 'fixed_versions' => '>=0.023', + 'fixed_versions' => [ + '>=0.023' + ], 'id' => 'CPANSA-Crypt-JWT-2019-01', 'references' => [ 'https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c', @@ -13131,14 +13403,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<0.022', + 'affected_versions' => [ + '<0.022' + ], 'cves' => [ 'CVE-2019-1010161' ], 'description' => 'perl-CRYPT-JWT 0.022 and earlier is affected by: Incorrect Access Control. The impact is: bypass authentication. The component is: JWT.pm for JWT security token, line 614 in _decode_jws(). The attack vector is: network connectivity(crafting user-controlled input to bypass authentication). The fixed version is: 0.023. ', 'distribution' => 'Crypt-JWT', - 'fixed_versions' => '>=0.022', + 'fixed_versions' => [ + '>=0.022' + ], 'id' => 'CPANSA-Crypt-JWT-2019-01', 'references' => [ 'https://github.com/DCIT/perl-Crypt-JWT/issues/3#issuecomment-417947483' @@ -13266,14 +13542,18 @@ sub db { 'Crypt-OpenSSL-DSA' => { 'advisories' => [ { - 'affected_versions' => '<0.14', + 'affected_versions' => [ + '<0.14' + ], 'cves' => [ 'CVE-2009-0129' ], 'description' => 'Missing error check in do_verify, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature. ', 'distribution' => 'Crypt-OpenSSL-DSA', - 'fixed_versions' => '>=0.14', + 'fixed_versions' => [ + '>=0.14' + ], 'id' => 'CPANSA-Crypt-OpenSSL-DSA-2009-01', 'references' => [ 'https://metacpan.org/changes/distribution/Crypt-OpenSSL-DSA', @@ -13350,14 +13630,16 @@ sub db { 'Crypt-OpenSSL-RSA' => { 'advisories' => [ { - 'affected_versions' => '>0', + 'affected_versions' => [ + '>0' + ], 'cves' => [ 'CVE-2024-2467' ], 'description' => 'A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode. ', 'distribution' => 'Crypt-OpenSSL-RSA', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Crypt-OpenSSL-RSA-2024-2467', 'references' => [ 'https://access.redhat.com/security/cve/CVE-2024-2467', @@ -13500,14 +13782,18 @@ sub db { 'Crypt-Passwd-XS' => { 'advisories' => [ { - 'affected_versions' => '<0.601', + 'affected_versions' => [ + '<0.601' + ], 'cves' => [ 'CVE-2012-2143' ], 'description' => 'The crypt_des (aka DES-based crypt) function does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. ', 'distribution' => 'Crypt-Passwd-XS', - 'fixed_versions' => '>=0.601', + 'fixed_versions' => [ + '>=0.601' + ], 'id' => 'CPANSA-Crypt-Passwd-XS-2012-01', 'references' => [ 'https://metacpan.org/changes/distribution/Crypt-Passwd-XS' @@ -13558,14 +13844,18 @@ sub db { 'Crypt-Perl' => { 'advisories' => [ { - 'affected_versions' => '<0.33', + 'affected_versions' => [ + '<0.33' + ], 'cves' => [ 'CVE-2020-17478' ], 'description' => 'ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm. ', 'distribution' => 'Crypt-Perl', - 'fixed_versions' => '>=0.33', + 'fixed_versions' => [ + '>=0.33' + ], 'id' => 'CPANSA-Crypt-Perl-2020-01', 'references' => [ 'https://github.com/FGasper/p5-Crypt-Perl/compare/0.32...0.33' @@ -13574,14 +13864,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<0.32', + 'affected_versions' => [ + '<0.32' + ], 'cves' => [ 'CVE-2020-13895' ], 'description' => 'Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail. ', 'distribution' => 'Crypt-Perl', - 'fixed_versions' => '>=0.32', + 'fixed_versions' => [ + '>=0.32' + ], 'id' => 'CPANSA-Crypt-Perl-2020-02', 'references' => [ 'https://github.com/FGasper/p5-Crypt-Perl/commit/f960ce75502acf7404187231a706672f8369acb2', @@ -13958,14 +14252,16 @@ sub db { 'CryptX' => { 'advisories' => [ { - 'affected_versions' => '<0.062', + 'affected_versions' => [ + '<0.062' + ], 'cves' => [ 'CVE-2018-25099' ], 'description' => 'A user can pass anything as the tag into gcm_decrypt_verify() and it will return decrypted plaintext. ', 'distribution' => 'CryptX', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-CryptX-2018-01', 'references' => [ 'https://github.com/DCIT/perl-CryptX/issues/47', @@ -14838,14 +15134,18 @@ sub db { 'DBD-MariaDB' => { 'advisories' => [ { - 'affected_versions' => '<1.00', + 'affected_versions' => [ + '<1.00' + ], 'cves' => [ 'CVE-2018-2767' ], 'description' => 'SSL problems of MySQL and MariaDB clients. ', 'distribution' => 'DBD-MariaDB', - 'fixed_versions' => '>=1.00', + 'fixed_versions' => [ + '>=1.00' + ], 'id' => 'CPANSA-DBD-MariaDB-2018-01', 'references' => [ 'https://metacpan.org/changes/distribution/DBD-MariaDB' @@ -14853,14 +15153,18 @@ sub db { 'reported' => '2017-07-01' }, { - 'affected_versions' => '<1.00', + 'affected_versions' => [ + '<1.00' + ], 'cves' => [ 'CVE-2017-10788' ], 'description' => 'Use-after-free after calling mysql_stmt_close(). ', 'distribution' => 'DBD-MariaDB', - 'fixed_versions' => '>=1.00', + 'fixed_versions' => [ + '>=1.00' + ], 'id' => 'CPANSA-DBD-MariaDB-2017-02', 'references' => [ 'https://metacpan.org/changes/distribution/DBD-MariaDB' @@ -14868,14 +15172,18 @@ sub db { 'reported' => '2017-07-01' }, { - 'affected_versions' => '<1.00', + 'affected_versions' => [ + '<1.00' + ], 'cves' => [ 'CVE-2017-3302' ], 'description' => 'Leaking dangling pointers. ', 'distribution' => 'DBD-MariaDB', - 'fixed_versions' => '>=1.00', + 'fixed_versions' => [ + '>=1.00' + ], 'id' => 'CPANSA-DBD-MariaDB-2017-01', 'references' => [ 'https://metacpan.org/changes/distribution/DBD-MariaDB' @@ -14922,14 +15230,16 @@ sub db { 'DBD-Pg' => { 'advisories' => [ { - 'affected_versions' => '<2.19.0', + 'affected_versions' => [ + '<2.19.0' + ], 'cves' => [ 'CVE-2012-1151' ], 'description' => 'Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function. ', 'distribution' => 'DBD-Pg', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-DBD-Pg-2012-1151', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661536', @@ -14952,14 +15262,16 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '=1.49', + 'affected_versions' => [ + '=1.49' + ], 'cves' => [ 'CVE-2009-0663' ], 'description' => 'Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows. ', 'distribution' => 'DBD-Pg', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-DBD-Pg-2009-0663', 'references' => [ 'http://security.debian.org/pool/updates/main/libd/libdbd-pg-perl/libdbd-pg-perl_1.49-2+etch1.diff.gz', @@ -14979,14 +15291,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<2.0.0', + 'affected_versions' => [ + '<2.0.0' + ], 'cves' => [ 'CVE-2009-1341' ], 'description' => 'Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns. ', 'distribution' => 'DBD-Pg', - 'fixed_versions' => '>=2.0.0', + 'fixed_versions' => [ + '>=2.0.0' + ], 'id' => 'CPANSA-DBD-Pg-2009-1341', 'references' => [ 'http://rt.cpan.org/Public/Bug/Display.html?id=21392', @@ -15919,14 +16235,18 @@ sub db { 'DBD-SQLite' => { 'advisories' => [ { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-15358' ], 'description' => 'In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-15358', 'references' => [ 'https://www.sqlite.org/src/info/10fa79d00f8091e5', @@ -15956,14 +16276,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-13632' ], 'description' => 'ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-13632', 'references' => [ 'https://bugs.chromium.org/p/chromium/issues/detail?id=1080459', @@ -15982,14 +16306,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-13631' ], 'description' => 'SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-13631', 'references' => [ 'https://bugs.chromium.org/p/chromium/issues/detail?id=1080459', @@ -16018,14 +16346,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-13630' ], 'description' => 'ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-13630', 'references' => [ 'https://bugs.chromium.org/p/chromium/issues/detail?id=1080459', @@ -16054,14 +16386,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-13435' ], 'description' => 'SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-13435', 'references' => [ 'https://www.sqlite.org/src/info/7a5279a25c57adf1', @@ -16087,14 +16423,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-13434' ], 'description' => 'SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-13434', 'references' => [ 'https://www.sqlite.org/src/info/23439ea582241138', @@ -16124,14 +16464,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-11656' ], 'description' => 'In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-11656', 'references' => [ 'https://www3.sqlite.org/cgi/src/info/b64674919f673602', @@ -16150,14 +16494,18 @@ sub db { 'severity' => 'critical' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-11655' ], 'description' => 'SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object\'s initialization is mishandled. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-11655', 'references' => [ 'https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11', @@ -16179,14 +16527,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.65_03', + 'affected_versions' => [ + '<1.65_03' + ], 'cves' => [ 'CVE-2020-9327' ], 'description' => 'In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2020-9327', 'references' => [ 'https://www.sqlite.org/cgi/src/info/4374860b29383380', @@ -16205,14 +16557,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-20218' ], 'description' => 'selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-20218', 'references' => [ 'https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387', @@ -16226,14 +16582,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19959' ], 'description' => 'ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded \'\\\\0\' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19959', 'references' => [ 'https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec', @@ -16246,7 +16606,9 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19926', 'CVE-2019-19880' @@ -16254,7 +16616,9 @@ sub db { 'description' => 'multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19926', 'references' => [ 'https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089', @@ -16273,14 +16637,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '>=1.19_01,<1.63_03', + 'affected_versions' => [ + '>=1.19_01,<1.63_03' + ], 'cves' => [ 'CVE-2019-8457' ], 'description' => 'SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.63_04', + 'fixed_versions' => [ + '>=1.63_04' + ], 'id' => 'CPANSA-DBD-SQLite-2019-8457', 'references' => [ 'https://www.sqlite.org/src/info/90acdbfce9c08858', @@ -16303,14 +16671,18 @@ sub db { 'severity' => 'critical' }, { - 'affected_versions' => '>=1.61_03,<1.63_03', + 'affected_versions' => [ + '>=1.61_03,<1.63_03' + ], 'cves' => [ 'CVE-2019-5018' ], 'description' => 'An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.63_04', + 'fixed_versions' => [ + '>=1.63_04' + ], 'id' => 'CPANSA-DBD-SQLite-2019-5018', 'references' => [ 'https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777', @@ -16324,14 +16696,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19925' ], 'description' => 'zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19925', 'references' => [ 'https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618', @@ -16349,14 +16725,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19924' ], 'description' => 'SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19924', 'references' => [ 'https://github.com/sqlite/sqlite/commit/8654186b0236d556aa85528c2573ee0b6ab71be3', @@ -16371,14 +16751,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19923' ], 'description' => 'flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results). ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19923', 'references' => [ 'https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35', @@ -16396,14 +16780,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19880' ], 'description' => 'exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19880', 'references' => [ 'https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54', @@ -16421,14 +16809,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<=1.65_02', + 'affected_versions' => [ + '<=1.65_02' + ], 'cves' => [ 'CVE-2019-19646' ], 'description' => 'pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19646', 'references' => [ 'https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd', @@ -16443,14 +16835,18 @@ sub db { 'severity' => 'critical' }, { - 'affected_versions' => '<=1.65_02', + 'affected_versions' => [ + '<=1.65_02' + ], 'cves' => [ 'CVE-2019-19645' ], 'description' => 'alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19645', 'references' => [ 'https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06', @@ -16464,14 +16860,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19603' ], 'description' => 'SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19603', 'references' => [ 'https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13', @@ -16486,14 +16886,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19317' ], 'description' => 'lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19317', 'references' => [ 'https://github.com/sqlite/sqlite/commit/522ebfa7cee96fb325a22ea3a2464a63485886a8', @@ -16506,14 +16910,18 @@ sub db { 'severity' => 'critical' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19244' ], 'description' => 'sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19244', 'references' => [ 'https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348', @@ -16525,14 +16933,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.65_02', + 'affected_versions' => [ + '=1.65_02' + ], 'cves' => [ 'CVE-2019-19242' ], 'description' => 'SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.65_03', + 'fixed_versions' => [ + '>=1.65_03' + ], 'id' => 'CPANSA-DBD-SQLite-2019-19242', 'references' => [ 'https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c', @@ -16544,14 +16956,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.61_01', + 'affected_versions' => [ + '<1.61_01' + ], 'cves' => [ 'CVE-2018-20506' ], 'description' => 'SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.61_01', + 'fixed_versions' => [ + '>=1.61_01' + ], 'id' => 'CPANSA-DBD-SQLite-2018-20506', 'references' => [ 'https://support.apple.com/kb/HT209451', @@ -16586,14 +17002,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '=1.59_02', + 'affected_versions' => [ + '=1.59_02' + ], 'cves' => [ 'CVE-2018-20505' ], 'description' => 'SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.59_03', + 'fixed_versions' => [ + '>=1.59_03' + ], 'id' => 'CPANSA-DBD-SQLite-2018-20505', 'references' => [ 'https://support.apple.com/kb/HT209451', @@ -16623,14 +17043,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.61_01', + 'affected_versions' => [ + '<1.61_01' + ], 'cves' => [ 'CVE-2018-20346' ], 'description' => 'SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.61_01', + 'fixed_versions' => [ + '>=1.61_01' + ], 'id' => 'CPANSA-DBD-SQLite-2018-20346', 'references' => [ 'https://www.sqlite.org/releaselog/3_25_3.html', @@ -16671,14 +17095,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.59_01', + 'affected_versions' => [ + '<1.59_01' + ], 'cves' => [ 'CVE-2018-8740' ], 'description' => 'In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.59_01', + 'fixed_versions' => [ + '>=1.59_01' + ], 'id' => 'CPANSA-DBD-SQLite-2018-8740', 'references' => [ 'https://www.sqlite.org/cgi/src/timeline?r=corrupt-schema', @@ -16709,7 +17137,9 @@ sub db { 'description' => 'The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.55_07', + 'fixed_versions' => [ + '>=1.55_07' + ], 'id' => 'CPANSA-DBD-SQLite-2017-10989', 'references' => [ 'https://sqlite.org/src/info/66de6f4a', @@ -16733,14 +17163,18 @@ sub db { 'severity' => 'critical' }, { - 'affected_versions' => '<=1.51_04', + 'affected_versions' => [ + '<=1.51_04' + ], 'cves' => [ 'CVE-2016-6153' ], 'description' => 'os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.51_05', + 'fixed_versions' => [ + '>=1.51_05' + ], 'id' => 'CPANSA-DBD-SQLite-2016-6153', 'references' => [ 'http://www.openwall.com/lists/oss-security/2016/07/01/1', @@ -16760,14 +17194,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<=1.47_01', + 'affected_versions' => [ + '<=1.47_01' + ], 'cves' => [ 'CVE-2015-3416' ], 'description' => 'The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.47_02', + 'fixed_versions' => [ + '>=1.47_02' + ], 'id' => 'CPANSA-DBD-SQLite-2015-3416', 'references' => [ 'http://www.sqlite.org/src/info/c494171f77dc2e5e04cb6d865e688448f04e5920', @@ -16791,14 +17229,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<=1.47_01', + 'affected_versions' => [ + '<=1.47_01' + ], 'cves' => [ 'CVE-2015-3415' ], 'description' => 'The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.47_02', + 'fixed_versions' => [ + '>=1.47_02' + ], 'id' => 'CPANSA-DBD-SQLite-2015-3415', 'references' => [ 'https://www.sqlite.org/src/info/02e3c88fbf6abdcf3975fb0fb71972b0ab30da30', @@ -16821,14 +17263,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<=1.47_01', + 'affected_versions' => [ + '<=1.47_01' + ], 'cves' => [ 'CVE-2015-3414' ], 'description' => 'SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.47_02', + 'fixed_versions' => [ + '>=1.47_02' + ], 'id' => 'CPANSA-DBD-SQLite-2015-3414', 'references' => [ 'https://www.sqlite.org/src/info/eddc05e7bb31fae74daa86e0504a3478b99fa0f2', @@ -16851,14 +17297,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '=1.47_01', + 'affected_versions' => [ + '=1.47_01' + ], 'cves' => [ 'CVE-2013-7443' ], 'description' => 'Buffer overflow in the skip-scan optimization in SQLite 3.8.2 allows remote attackers to cause a denial of service (crash) via crafted SQL statements. ', 'distribution' => 'DBD-SQLite', - 'fixed_versions' => '>=1.47_02', + 'fixed_versions' => [ + '>=1.47_02' + ], 'id' => 'CPANSA-DBD-SQLite-2013-7443', 'references' => [ 'https://www.sqlite.org/src/info/520070ec7fbaac73eda0e0123596b7bb3e9a6897', @@ -17700,14 +18150,18 @@ sub db { 'DBD-mysql' => { 'advisories' => [ { - 'affected_versions' => '<4.044', + 'affected_versions' => [ + '<4.044' + ], 'cves' => [ 'CVE-2017-10788' ], 'description' => 'The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a loss of a network connection to a MySQL server. The use-after-free defect was introduced by relying on incorrect Oracle mysql_stmt_close documentation and code examples. ', 'distribution' => 'DBD-mysql', - 'fixed_versions' => '>=4.044', + 'fixed_versions' => [ + '>=4.044' + ], 'id' => 'CPANSA-DBD-mysql-2017-02', 'references' => [ 'https://github.com/perl5-dbi/DBD-mysql/issues/120', @@ -17717,14 +18171,18 @@ sub db { 'reported' => '2017-04-13' }, { - 'affected_versions' => '<4.044', + 'affected_versions' => [ + '<4.044' + ], 'cves' => [ 'CVE-2017-10789' ], 'description' => 'The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting\'s documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152. ', 'distribution' => 'DBD-mysql', - 'fixed_versions' => '>=4.044', + 'fixed_versions' => [ + '>=4.044' + ], 'id' => 'CPANSA-DBD-mysql-2017-01', 'references' => [ 'https://github.com/perl5-dbi/DBD-mysql/pull/114' @@ -17732,14 +18190,18 @@ sub db { 'reported' => '2017-03-23' }, { - 'affected_versions' => '>=2.9003,<4.039', + 'affected_versions' => [ + '>=2.9003,<4.039' + ], 'cves' => [ 'CVE-2016-1249' ], 'description' => 'Out-of-bounds read. ', 'distribution' => 'DBD-mysql', - 'fixed_versions' => '<2.9003,>=4.039', + 'fixed_versions' => [ + '<2.9003,>=4.039' + ], 'id' => 'CPANSA-DBD-mysql-2016-03', 'references' => [ 'https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe' @@ -17747,14 +18209,18 @@ sub db { 'reported' => '2016-11-16' }, { - 'affected_versions' => '<4.037', + 'affected_versions' => [ + '<4.037' + ], 'cves' => [ 'CVE-2016-1246' ], 'description' => 'Buffer overflow in the DBD::mysql module before 4.037 for Perl allows context-dependent attackers to cause a denial of service (crash) via vectors related to an error message. ', 'distribution' => 'DBD-mysql', - 'fixed_versions' => '>=4.037', + 'fixed_versions' => [ + '>=4.037' + ], 'id' => 'CPANSA-DBD-mysql-2016-02', 'references' => [ 'https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2', @@ -17763,14 +18229,18 @@ sub db { 'reported' => '2016-10-02' }, { - 'affected_versions' => '<4.034', + 'affected_versions' => [ + '<4.034' + ], 'cves' => [ 'CVE-2015-8949' ], 'description' => 'Use-after-free vulnerability in the my_login function in DBD::mysql before 4.033_01 allows attackers to have unspecified impact by leveraging a call to mysql_errno after a failure of my_login. ', 'distribution' => 'DBD-mysql', - 'fixed_versions' => '>=4.034', + 'fixed_versions' => [ + '>=4.034' + ], 'id' => 'CPANSA-DBD-mysql-2016-01', 'references' => [ 'https://github.com/perl5-dbi/DBD-mysql/commit/cf0aa7751f6ef8445e9310a64b14dc81460ca156' @@ -17778,14 +18248,18 @@ sub db { 'reported' => '2016-08-19' }, { - 'affected_versions' => '<4.041', + 'affected_versions' => [ + '<4.041' + ], 'cves' => [ 'CVE-2016-1251' ], 'description' => 'There is a vulnerability of type use-after-free affecting DBD::mysql (aka DBD-mysql or the Database Interface (DBI) MySQL driver for Perl) 3.x and 4.x before 4.041 when used with mysql_server_prepare=1. ', 'distribution' => 'DBD-mysql', - 'fixed_versions' => '>=4.041', + 'fixed_versions' => [ + '>=4.041' + ], 'id' => 'CPANSA-DBD-mysql-2015-01', 'references' => [ 'https://github.com/perl5-dbi/DBD-mysql/commit/3619c170461a3107a258d1fd2d00ed4832adb1b1' @@ -17793,14 +18267,18 @@ sub db { 'reported' => '2015-12-27' }, { - 'affected_versions' => '<4.028', + 'affected_versions' => [ + '<4.028' + ], 'cves' => [ 'CVE-2014-9906' ], 'description' => 'Use-after-free vulnerability in DBD::mysql before 4.029 allows attackers to cause a denial of service (program crash) or possibly execute arbitrary code via vectors related to a lost server connection. ', 'distribution' => 'DBD-mysql', - 'fixed_versions' => '>=4.028', + 'fixed_versions' => [ + '>=4.028' + ], 'id' => 'CPANSA-DBD-mysql-2014-01', 'references' => [ 'https://github.com/perl5-dbi/DBD-mysql/commit/a56ae87a4c1c1fead7d09c3653905841ccccf1cc', @@ -18416,12 +18894,16 @@ sub db { 'DBD-mysqlPP' => { 'advisories' => [ { - 'affected_versions' => '<0.93', + 'affected_versions' => [ + '<0.93' + ], 'cves' => [], 'description' => 'SQL injection. ', 'distribution' => 'DBD-mysqlPP', - 'fixed_versions' => '>=0.03', + 'fixed_versions' => [ + '>=0.03' + ], 'id' => 'CPANSA-DBD-mysqlPP-2011-01', 'references' => [ 'https://metacpan.org/changes/distribution/DBD-mysqlPP', @@ -18462,14 +18944,18 @@ sub db { 'DBI' => { 'advisories' => [ { - 'affected_versions' => '<1.643', + 'affected_versions' => [ + '<1.643' + ], 'cves' => [ 'CVE-2020-14393' ], 'description' => 'A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data. ', 'distribution' => 'DBI', - 'fixed_versions' => '>=1.643', + 'fixed_versions' => [ + '>=1.643' + ], 'id' => 'CPANSA-DBI-2020-01', 'references' => [ 'https://metacpan.org/changes/distribution/DBI', @@ -18479,14 +18965,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.643', + 'affected_versions' => [ + '<1.643' + ], 'cves' => [ 'CVE-2020-14392' ], 'description' => 'An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service\'s availability. ', 'distribution' => 'DBI', - 'fixed_versions' => '>=1.643', + 'fixed_versions' => [ + '>=1.643' + ], 'id' => 'CPANSA-DBI-2020-03', 'references' => [ 'https://metacpan.org/changes/distribution/DBI', @@ -18502,14 +18992,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.643', + 'affected_versions' => [ + '<1.643' + ], 'cves' => [ 'CVE-2019-20919' ], 'description' => 'An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. ', 'distribution' => 'DBI', - 'fixed_versions' => '>=1.643', + 'fixed_versions' => [ + '>=1.643' + ], 'id' => 'CPANSA-DBI-2020-02', 'references' => [ 'https://metacpan.org/changes/distribution/DBI', @@ -18526,12 +19020,16 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.632', + 'affected_versions' => [ + '<1.632' + ], 'cves' => [], 'description' => 'DBD::File drivers open files from folders other than specifically passed using the f_dir attribute. ', 'distribution' => 'DBI', - 'fixed_versions' => '>=1.632', + 'fixed_versions' => [ + '>=1.632' + ], 'id' => 'CPANSA-DBI-2014-01', 'references' => [ 'https://metacpan.org/changes/distribution/DBI', @@ -18541,14 +19039,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.47', + 'affected_versions' => [ + '<1.47' + ], 'cves' => [ 'CVE-2005-0077' ], 'description' => 'Allows local users to overwrite arbitrary files via a symlink attack on a temporary PID file. ', 'distribution' => 'DBI', - 'fixed_versions' => '>=1.47', + 'fixed_versions' => [ + '>=1.47' + ], 'id' => 'CPANSA-DBI-2005-01', 'references' => [ 'https://metacpan.org/changes/distribution/DBI' @@ -18556,14 +19058,18 @@ sub db { 'reported' => '2005-05-02' }, { - 'affected_versions' => '<1.643', + 'affected_versions' => [ + '<1.643' + ], 'cves' => [ 'CVE-2014-10402' ], 'description' => 'An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401. ', 'distribution' => 'DBI', - 'fixed_versions' => '>=1.644', + 'fixed_versions' => [ + '>=1.644' + ], 'id' => 'CPANSA-DBI-2014-10402', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=99508#txn-1911590', @@ -18573,14 +19079,18 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.632', + 'affected_versions' => [ + '<1.632' + ], 'cves' => [ 'CVE-2014-10401' ], 'description' => 'An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute. ', 'distribution' => 'DBI', - 'fixed_versions' => '>=1.644', + 'fixed_versions' => [ + '>=1.644' + ], 'id' => 'CPANSA-DBI-2014-10401', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=99508', @@ -18593,14 +19103,16 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.628', + 'affected_versions' => [ + '<1.628' + ], 'cves' => [ 'CVE-2013-7491' ], 'description' => 'An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated. ', 'distribution' => 'DBI', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-DBI-2013-7491', 'references' => [ 'https://github.com/perl5-dbi/dbi/commit/401f1221311c71f760e21c98772f0f7e3cbead1d', @@ -18611,14 +19123,16 @@ sub db { 'severity' => 'medium' }, { - 'affected_versions' => '<1.632', + 'affected_versions' => [ + '<1.632' + ], 'cves' => [ 'CVE-2013-7490' ], 'description' => 'An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption. ', 'distribution' => 'DBI', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-DBI-2013-7490', 'references' => [ 'https://github.com/perl5-dbi/dbi/commit/a8b98e988d6ea2946f5f56691d6d5ead53f65766', @@ -19427,18 +19941,26 @@ sub db { { 'date' => '2024-08-22T07:09:52', 'version' => '1.643_02' + }, + { + 'date' => '2024-08-23T17:54:09', + 'version' => '1.644' } ] }, 'DBIx-Custom' => { 'advisories' => [ { - 'affected_versions' => '<0.1641', + 'affected_versions' => [ + '<0.1641' + ], 'cves' => [], 'description' => 'SQL injection when passing special column names. ', 'distribution' => 'DBIx-Custom', - 'fixed_versions' => '>=0.1641', + 'fixed_versions' => [ + '>=0.1641' + ], 'id' => 'CPANSA-DBIx-Custom-2011-01', 'references' => [ 'https://metacpan.org/changes/distribution/DBIx-Custom', @@ -20299,14 +20821,18 @@ sub db { 'Dancer' => { 'advisories' => [ { - 'affected_versions' => '<1.3114', + 'affected_versions' => [ + '<1.3114' + ], 'cves' => [ 'CVE-2012-5572' ], 'description' => 'CRLF injection vulnerability in the cookie method allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a cookie name. ', 'distribution' => 'Dancer', - 'fixed_versions' => '>=1.3114', + 'fixed_versions' => [ + '>=1.3114' + ], 'id' => 'CPANSA-Dancer-2014-01', 'references' => [ 'https://metacpan.org/changes/distribution/Dancer', @@ -20315,14 +20841,18 @@ sub db { 'reported' => '2014-05-30' }, { - 'affected_versions' => '<1.3051', + 'affected_versions' => [ + '<1.3051' + ], 'cves' => [ 'CVE-2011-1589' ], 'description' => 'Directory traversal vulnerability (Mojolicious report, but Dancer was vulnerable as well). ', 'distribution' => 'Dancer', - 'fixed_versions' => '>=1.3051', + 'fixed_versions' => [ + '>=1.3051' + ], 'id' => 'CPANSA-Dancer-2011-01', 'references' => [ 'https://metacpan.org/changes/distribution/Dancer', @@ -21070,12 +21600,16 @@ sub db { 'Dancer2' => { 'advisories' => [ { - 'affected_versions' => '<0.206000', + 'affected_versions' => [ + '<0.206000' + ], 'cves' => [], 'description' => 'There is a potential RCE with regards to Storable. We have added session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. ', 'distribution' => 'Dancer2', - 'fixed_versions' => '>=0.206000', + 'fixed_versions' => [ + '>=0.206000' + ], 'id' => 'CPANSA-Dancer2-2018-01', 'references' => [ 'https://metacpan.org/changes/distribution/Dancer2', @@ -21493,14 +22027,18 @@ sub db { 'Data-Dumper' => { 'advisories' => [ { - 'affected_versions' => '<2.154', + 'affected_versions' => [ + '<2.154' + ], 'cves' => [ 'CVE-2014-4330' ], 'description' => 'Infinite recursion. ', 'distribution' => 'Data-Dumper', - 'fixed_versions' => '>=2.154', + 'fixed_versions' => [ + '>=2.154' + ], 'id' => 'CPANSA-Data-Dumper-2014-01', 'references' => [ 'https://metacpan.org/changes/distribution/Data-Dumper' @@ -21755,14 +22293,18 @@ sub db { 'Data-FormValidator' => { 'advisories' => [ { - 'affected_versions' => '<=4.66', + 'affected_versions' => [ + '<=4.66' + ], 'cves' => [ 'CVE-2011-2201' ], 'description' => 'The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input. ', 'distribution' => 'Data-FormValidator', - 'fixed_versions' => '>4.66', + 'fixed_versions' => [ + '>4.66' + ], 'id' => 'CPANSA-Data-FormValidator-2011-2201', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511', @@ -22121,14 +22663,18 @@ sub db { 'Data-UUID' => { 'advisories' => [ { - 'affected_versions' => '>1.219,<1.227', + 'affected_versions' => [ + '>1.219,<1.227' + ], 'cves' => [ 'CVE-2013-4184' ], 'description' => 'Perl module Data::UUID from CPAN version 1.219 vulnerable to symlink attacks ', 'distribution' => 'Data-UUID', - 'fixed_versions' => '>=1.227', + 'fixed_versions' => [ + '>=1.227' + ], 'id' => 'CPANSA-Data-UUID-2013-4184', 'references' => [ 'https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-4184', @@ -22334,14 +22880,18 @@ sub db { 'Data-Validate-IP' => { 'advisories' => [ { - 'affected_versions' => '<=0.29', + 'affected_versions' => [ + '<=0.29' + ], 'cves' => [ 'CVE-2021-29662' ], 'description' => 'The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. ', 'distribution' => 'Data-Validate-IP', - 'fixed_versions' => '>0.29', + 'fixed_versions' => [ + '>0.29' + ], 'id' => 'CPANSA-Data-Validate-IP-2021-01', 'references' => [ 'https://security.netapp.com/advisory/ntap-20210604-0002/', @@ -22477,12 +23027,16 @@ sub db { 'Devel-PPPort' => { 'advisories' => [ { - 'affected_versions' => '<3.41', + 'affected_versions' => [ + '<3.41' + ], 'cves' => [], 'description' => 'Function croak() takes first parameter printf-like format. Arbitrary string from the variable $@ can cause perl crash when contains one or more \'%\'. ', 'distribution' => 'Devel-PPPort', - 'fixed_versions' => '>=3.41', + 'fixed_versions' => [ + '>=3.41' + ], 'id' => 'CPANSA-Devel-PPPort-2017-01', 'references' => [ 'https://metacpan.org/dist/Devel-PPPort/changes', @@ -22991,14 +23545,18 @@ sub db { 'Devel-StackTrace' => { 'advisories' => [ { - 'affected_versions' => '<1.19', + 'affected_versions' => [ + '<1.19' + ], 'cves' => [ 'CVE-2008-3502' ], 'description' => 'Unspecified vulnerability in Best Practical Solutions RT 3.0.0 through 3.6.6 allows remote authenticated users to cause a denial of service (CPU or memory consumption) via unspecified vectors related to the Devel::StackTrace module for Perl. ', 'distribution' => 'Devel-StackTrace', - 'fixed_versions' => '>=1.19', + 'fixed_versions' => [ + '>=1.19' + ], 'id' => 'CPANSA-Devel-StackTrace-2008-3502', 'references' => [ 'http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html', @@ -23209,12 +23767,16 @@ sub db { 'Dezi' => { 'advisories' => [ { - 'affected_versions' => '<0.002002', + 'affected_versions' => [ + '<0.002002' + ], 'cves' => [], 'description' => 'Bypassing authentication on the /index URL app with non-idempotent requests to /search URL. ', 'distribution' => 'Dezi', - 'fixed_versions' => '>=0.002002', + 'fixed_versions' => [ + '>=0.002002' + ], 'id' => 'CPANSA-Dezi-2012-01', 'references' => [ 'https://metacpan.org/changes/distribution/Dezi', @@ -23342,14 +23904,18 @@ sub db { 'Digest' => { 'advisories' => [ { - 'affected_versions' => '<1.17', + 'affected_versions' => [ + '<1.17' + ], 'cves' => [ 'CVE-2011-3597' ], 'description' => 'Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. ', 'distribution' => 'Digest', - 'fixed_versions' => '>=0.17', + 'fixed_versions' => [ + '>=0.17' + ], 'id' => 'CPANSA-Digest-2011-3597', 'references' => [ 'http://aix.software.ibm.com/aix/efixes/security/perl_advisory2.asc', @@ -23378,14 +23944,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.19', + 'affected_versions' => [ + '<1.19' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Includes . in @INC which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'Digest', - 'fixed_versions' => '>=1.19', + 'fixed_versions' => [ + '>=1.19' + ], 'id' => 'CPANSA-Digest-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -23499,14 +24069,16 @@ sub db { 'Digest-MD5' => { 'advisories' => [ { - 'affected_versions' => '<2.25', + 'affected_versions' => [ + '<2.25' + ], 'cves' => [ 'CVE-2002-0703' ], 'description' => 'An interaction between the Perl MD5 module (perl-Digest-MD5) and Perl could produce incorrect MD5 checksums for UTF-8 data, which could prevent a system from properly verifying the integrity of the data. ', 'distribution' => 'Digest-MD5', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Digest-MD5-2002-0703', 'references' => [ 'http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-035.php', @@ -23793,14 +24365,18 @@ sub db { 'Dpkg' => { 'advisories' => [ { - 'affected_versions' => '<1.21.8', + 'affected_versions' => [ + '<1.21.8' + ], 'cves' => [ 'CVE-2022-1664' ], 'description' => 'Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.21.8', + 'fixed_versions' => [ + '>=1.21.8' + ], 'id' => 'CPANSA-Dpkg-2022-1664', 'references' => [ 'https://lists.debian.org/debian-security-announce/2022/msg00115.html', @@ -23814,14 +24390,18 @@ sub db { 'severity' => 'critical' }, { - 'affected_versions' => '<1.18.24', + 'affected_versions' => [ + '<1.18.24' + ], 'cves' => [ 'CVE-2017-8283' ], 'description' => 'dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.18.24', + 'fixed_versions' => [ + '>=1.18.24' + ], 'id' => 'CPANSA-Dpkg-2017-8283', 'references' => [ 'http://www.openwall.com/lists/oss-security/2017/04/20/2', @@ -23831,14 +24411,18 @@ sub db { 'severity' => 'critical' }, { - 'affected_versions' => '<1.18.11', + 'affected_versions' => [ + '<1.18.11' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => '(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.18.11', + 'fixed_versions' => [ + '>=1.18.11' + ], 'id' => 'CPANSA-Dpkg-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -23861,14 +24445,18 @@ sub db { 'severity' => 'high' }, { - 'affected_versions' => '<1.18.4', + 'affected_versions' => [ + '<1.18.4' + ], 'cves' => [ 'CVE-2015-0860' ], 'description' => 'Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x before 1.16.17 and 1.17.x before 1.17.26 allows remote attackers to execute arbitrary code via the archive magic version number in an "old-style" Debian binary package, which triggers a stack-based buffer overflow. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.18.4', + 'fixed_versions' => [ + '>=1.18.4' + ], 'id' => 'CPANSA-Dpkg-2015-0860', 'references' => [ 'http://www.ubuntu.com/usn/USN-2820-1', @@ -23882,14 +24470,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.18.0', + 'affected_versions' => [ + '<1.18.0' + ], 'cves' => [ 'CVE-2015-0840' ], 'description' => 'The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc). ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.18.0', + 'fixed_versions' => [ + '>=1.18.0' + ], 'id' => 'CPANSA-Dpkg-2015-0840', 'references' => [ 'http://www.ubuntu.com/usn/USN-2566-1', @@ -23901,14 +24493,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.22', + 'affected_versions' => [ + '<1.17.22' + ], 'cves' => [ 'CVE-2014-8625' ], 'description' => 'Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.22', + 'fixed_versions' => [ + '>=1.17.22' + ], 'id' => 'CPANSA-Dpkg-2014-8625', 'references' => [ 'http://seclists.org/oss-sec/2014/q4/539', @@ -23923,14 +24519,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.10', + 'affected_versions' => [ + '<1.17.10' + ], 'cves' => [ 'CVE-2014-0471' ], 'description' => 'Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting." ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.10', + 'fixed_versions' => [ + '>=1.17.10' + ], 'id' => 'CPANSA-Dpkg-2014-0471', 'references' => [ 'http://www.debian.org/security/2014/dsa-2915', @@ -23941,14 +24541,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.10', + 'affected_versions' => [ + '<1.17.10' + ], 'cves' => [ 'CVE-2014-3127' ], 'description' => 'dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.10', + 'fixed_versions' => [ + '>=1.17.10' + ], 'id' => 'CPANSA-Dpkg-2014-3127', 'references' => [ 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306', @@ -23961,14 +24565,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.10', + 'affected_versions' => [ + '<1.17.10' + ], 'cves' => [ 'CVE-2014-3864' ], 'description' => 'Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote attackers to modify files outside of the intended directories via a crafted source package that lacks a --- header line. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.10', + 'fixed_versions' => [ + '>=1.17.10' + ], 'id' => 'CPANSA-Dpkg-2014-3864', 'references' => [ 'http://openwall.com/lists/oss-security/2014/05/25/2', @@ -23981,14 +24589,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.10', + 'affected_versions' => [ + '<1.17.10' + ], 'cves' => [ 'CVE-2014-3865' ], 'description' => 'Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.10', + 'fixed_versions' => [ + '>=1.17.10' + ], 'id' => 'CPANSA-Dpkg-2014-3865', 'references' => [ 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183', @@ -24001,14 +24613,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.9', + 'affected_versions' => [ + '<1.17.9' + ], 'cves' => [ 'CVE-2014-0471' ], 'description' => 'Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting." ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.9', + 'fixed_versions' => [ + '>=1.17.9' + ], 'id' => 'CPANSA-Dpkg-2014-0471', 'references' => [ 'http://www.debian.org/security/2014/dsa-2915', @@ -24019,14 +24635,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.9', + 'affected_versions' => [ + '<1.17.9' + ], 'cves' => [ 'CVE-2014-3127' ], 'description' => 'dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.9', + 'fixed_versions' => [ + '>=1.17.9' + ], 'id' => 'CPANSA-Dpkg-2014-3127', 'references' => [ 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306', @@ -24039,14 +24659,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.17.8', + 'affected_versions' => [ + '<1.17.8' + ], 'cves' => [ 'CVE-2014-0471' ], 'description' => 'Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting." ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.17.8', + 'fixed_versions' => [ + '>=1.17.8' + ], 'id' => 'CPANSA-Dpkg-2014-0471', 'references' => [ 'http://www.debian.org/security/2014/dsa-2915', @@ -24057,14 +24681,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.15.8.8', + 'affected_versions' => [ + '<1.15.8.8' + ], 'cves' => [ 'CVE-2010-1679' ], 'description' => 'Directory traversal vulnerability in dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via directory traversal sequences in a patch for a source-format 3.0 package. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.15.8.8', + 'fixed_versions' => [ + '>=1.15.8.8' + ], 'id' => 'CPANSA-Dpkg-2010-1679', 'references' => [ 'http://www.vupen.com/english/advisories/2011/0044', @@ -24085,14 +24713,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.15.6', + 'affected_versions' => [ + '<1.15.6' + ], 'cves' => [ 'CVE-2010-0396' ], 'description' => 'Directory traversal vulnerability in the dpkg-source component in dpkg before 1.14.29 allows remote attackers to modify arbitrary files via a crafted Debian source archive. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.15.6', + 'fixed_versions' => [ + '>=1.15.6' + ], 'id' => 'CPANSA-Dpkg-2010-0396', 'references' => [ 'http://www.debian.org/security/2010/dsa-2011', @@ -24104,14 +24736,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '=1.9.21', + 'affected_versions' => [ + '=1.9.21' + ], 'cves' => [ 'CVE-2004-2768' ], 'description' => 'dpkg 1.9.21 does not properly reset the metadata of a file during replacement of the file in a package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid file, (2) setgid file, or (3) device, a related issue to CVE-2010-2059. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.9.22', + 'fixed_versions' => [ + '>=1.9.22' + ], 'id' => 'CPANSA-Dpkg-2004-2768', 'references' => [ 'http://www.hackinglinuxexposed.com/articles/20031214.html', @@ -24124,14 +24760,18 @@ sub db { 'severity' => undef }, { - 'affected_versions' => '<1.15.10', + 'affected_versions' => [ + '<1.15.10' + ], 'cves' => [ 'CVE-2011-0402' ], 'description' => 'dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via a symlink attack on unspecified files in the .pc directory. ', 'distribution' => 'Dpkg', - 'fixed_versions' => '>=1.15.10', + 'fixed_versions' => [ + '>=1.15.10' + ], 'id' => 'CPANSA-Dpkg-2011-0402', 'references' => [ 'http://www.ubuntu.com/usn/USN-1038-1', @@ -24315,12 +24955,16 @@ sub db { 'Elive' => { 'advisories' => [ { - 'affected_versions' => '<1.20', + 'affected_versions' => [ + '<1.20' + ], 'cves' => [], 'description' => 'Elive::DAO->set() did not die on tainted data. ', 'distribution' => 'Elive', - 'fixed_versions' => '>=1.20', + 'fixed_versions' => [ + '>=1.20' + ], 'id' => 'CPANSA-Elive-2011-01', 'references' => [ 'https://metacpan.org/dist/Elive/changes' @@ -24892,14 +25536,18 @@ sub db { 'Email-Address' => { 'advisories' => [ { - 'affected_versions' => '<1.905', + 'affected_versions' => [ + '<1.905' + ], 'cves' => [ 'CVE-2014-0477' ], 'description' => 'Inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address. ', 'distribution' => 'Email-Address', - 'fixed_versions' => '>=1.905', + 'fixed_versions' => [ + '>=1.905' + ], 'id' => 'CPANSA-Email-Address-2014-01', 'references' => [ 'https://metacpan.org/changes/distribution/Email-Address' @@ -24907,14 +25555,18 @@ sub db { 'reported' => '2014-07-03' }, { - 'affected_versions' => '<1.909', + 'affected_versions' => [ + '<1.909' + ], 'cves' => [ 'CVE-2018-12558' ], 'description' => 'The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\\f"). ', 'distribution' => 'Email-Address', - 'fixed_versions' => '>=1.909', + 'fixed_versions' => [ + '>=1.909' + ], 'id' => 'CPANSA-Email-Address-2014-01', 'references' => [ 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901873', @@ -24924,14 +25576,18 @@ sub db { 'reported' => '2018-06-19' }, { - 'affected_versions' => '<1.904', + 'affected_versions' => [ + '<1.904' + ], 'cves' => [ 'CVE-2014-4720' ], 'description' => 'Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to "backtracking into the phrase," a different vulnerability than CVE-2014-0477. ', 'distribution' => 'Email-Address', - 'fixed_versions' => '>=1.904', + 'fixed_versions' => [ + '>=1.904' + ], 'id' => 'CPANSA-Email-Address-2014-4720', 'references' => [ 'https://github.com/rjbs/Email-Address/blob/master/Changes', @@ -25132,14 +25788,18 @@ sub db { 'Email-MIME' => { 'advisories' => [ { - 'affected_versions' => '<1.954', + 'affected_versions' => [ + '<1.954' + ], 'cves' => [ 'CVE-2024-4140' ], 'description' => 'An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts. ', 'distribution' => 'Email-MIME', - 'fixed_versions' => '>=1.954', + 'fixed_versions' => [ + '>=1.954' + ], 'id' => 'CPANSA-Email-MIME-2024-4140', 'references' => [ 'https://bugs.debian.org/960062', @@ -25460,14 +26120,18 @@ sub db { 'Encode' => { 'advisories' => [ { - 'affected_versions' => '<2.85', + 'affected_versions' => [ + '<2.85' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Loading optional modules from . (current directory). ', 'distribution' => 'Encode', - 'fixed_versions' => '>=2.85', + 'fixed_versions' => [ + '>=2.85' + ], 'id' => 'CPANSA-Encode-2016-01', 'references' => [ 'https://metacpan.org/changes/distribution/Encode', @@ -25486,7 +26150,9 @@ sub db { 'description' => 'Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value. ', 'distribution' => 'Encode', - 'fixed_versions' => '>3.11', + 'fixed_versions' => [ + '>3.11' + ], 'id' => 'CPANSA-Encode-2021-01', 'references' => [ 'https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9', @@ -25501,14 +26167,18 @@ sub db { 'reported' => '2021-07-17' }, { - 'affected_versions' => '<2.44', + 'affected_versions' => [ + '<2.44' + ], 'cves' => [ 'CVE-2011-2939' ], 'description' => 'Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. ', 'distribution' => 'Encode', - 'fixed_versions' => '>=2.44', + 'fixed_versions' => [ + '>=2.44' + ], 'id' => 'CPANSA-Encode-2011-2939', 'references' => [ 'http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5', @@ -26290,14 +26960,18 @@ sub db { 'ExtUtils-MakeMaker' => { 'advisories' => [ { - 'affected_versions' => '<7.22', + 'affected_versions' => [ + '<7.22' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Loading modules from . (current directory). ', 'distribution' => 'ExtUtils-MakeMaker', - 'fixed_versions' => '>=7.22', + 'fixed_versions' => [ + '>=7.22' + ], 'id' => 'CPANSA-ExtUtils-MakeMaker-2016-01', 'references' => [ 'https://metacpan.org/changes/distribution/ExtUtils-MakeMaker', @@ -28061,14 +28735,18 @@ sub db { 'FCGI' => { 'advisories' => [ { - 'affected_versions' => '<0.74', + 'affected_versions' => [ + '<0.74' + ], 'cves' => [ 'CVE-2011-2766' ], 'description' => 'Leaking information across requests when using the deprecated and undocumented old FCGI interface. ', 'distribution' => 'FCGI', - 'fixed_versions' => '>=0.74', + 'fixed_versions' => [ + '>=0.74' + ], 'id' => 'CPANSA-FCGI-2011-01', 'references' => [ 'https://metacpan.org/changes/distribution/FCGI', @@ -28324,14 +29002,18 @@ sub db { 'Fake-Encode' => { 'advisories' => [ { - 'affected_versions' => '<0.08', + 'affected_versions' => [ + '<0.08' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Loading modules from . (current directory). ', 'distribution' => 'Fake-Encode', - 'fixed_versions' => '>=0.08', + 'fixed_versions' => [ + '>=0.08' + ], 'id' => 'CPANSA-Fake-Encode-2017-01', 'references' => [ 'https://metacpan.org/changes/distribution/Fake-Encode' @@ -28390,14 +29072,18 @@ sub db { 'Fake-Our' => { 'advisories' => [ { - 'affected_versions' => '<0.06', + 'affected_versions' => [ + '<0.06' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Loading modules from . (current directory). ', 'distribution' => 'Fake-Our', - 'fixed_versions' => '>=0.06', + 'fixed_versions' => [ + '>=0.06' + ], 'id' => 'CPANSA-Fake-Our-2017-01', 'references' => [ 'https://metacpan.org/changes/distribution/Fake-Our' @@ -28480,14 +29166,18 @@ sub db { 'File-DataClass' => { 'advisories' => [ { - 'affected_versions' => '<0.72.1', + 'affected_versions' => [ + '<0.72.1' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Loading modules from . (current directory). ', 'distribution' => 'File-DataClass', - 'fixed_versions' => '>=0.72.1', + 'fixed_versions' => [ + '>=0.72.1' + ], 'id' => 'CPANSA-File-DataClass-2017-01', 'references' => [ 'https://metacpan.org/changes/distribution/File-DataClass' @@ -28966,12 +29656,14 @@ sub db { 'File-KeePass' => { 'advisories' => [ { - 'affected_versions' => '>0', + 'affected_versions' => [ + '>0' + ], 'cves' => [], 'description' => 'The module is making use of the perl rand function for key and iv generation (for Crypt::Rijndael). ', 'distribution' => 'File-KeePass', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-File-KeePass-2016-01', 'references' => [ 'https://rt.cpan.org/Ticket/Display.html?id=117836' @@ -29044,7 +29736,7 @@ sub db { 'description' => 'Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to to delete arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5302 due to affected versions. ', 'distribution' => 'File-Path', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-File-Path-2008-5303', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286905', @@ -29083,7 +29775,7 @@ sub db { 'description' => 'Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions. ', 'distribution' => 'File-Path', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-File-Path-2008-5302', 'references' => [ 'http://www.gossamer-threads.com/lists/perl/porters/233695#233695', @@ -29122,7 +29814,9 @@ sub db { 'description' => 'The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452. ', 'distribution' => 'File-Path', - 'fixed_versions' => '>=2.07', + 'fixed_versions' => [ + '>=2.07' + ], 'id' => 'CPANSA-File-Path-2008-2827', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487319', @@ -29150,7 +29844,7 @@ sub db { 'description' => 'Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. ', 'distribution' => 'File-Path', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-File-Path-2005-0448', 'references' => [ 'http://www.debian.org/security/2005/dsa-696', @@ -29185,7 +29879,7 @@ sub db { 'description' => 'Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. ', 'distribution' => 'File-Path', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-File-Path-2004-0452', 'references' => [ 'http://www.debian.org/security/2004/dsa-620', @@ -29426,12 +30120,16 @@ sub db { 'File-Slurp' => { 'advisories' => [ { - 'affected_versions' => '<9999.26', + 'affected_versions' => [ + '<9999.26' + ], 'cves' => [], 'description' => 'Use of sysread treats any :encoding(...) as effectively :utf8. ', 'distribution' => 'File-Slurp', - 'fixed_versions' => '>=9999.26', + 'fixed_versions' => [ + '>=9999.26' + ], 'id' => 'CPANSA-File-Slurp-2013-01', 'references' => [ 'https://rt.cpan.org/Public/Bug/Display.html?id=83126', @@ -29603,14 +30301,16 @@ sub db { 'File-Temp' => { 'advisories' => [ { - 'affected_versions' => '>0', + 'affected_versions' => [ + '>0' + ], 'cves' => [ 'CVE-2011-4116' ], 'description' => '_is_safe in the File::Temp module for Perl does not properly handle symlinks. ', 'distribution' => 'File-Temp', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-File-Temp-2011-4116', 'references' => [ 'http://www.openwall.com/lists/oss-security/2011/11/04/2', @@ -29746,14 +30446,16 @@ sub db { 'Filesys-SmbClientParser' => { 'advisories' => [ { - 'affected_versions' => '<=2.7', + 'affected_versions' => [ + '<=2.7' + ], 'cves' => [ 'CVE-2008-3285' ], 'description' => 'The Filesys::SmbClientParser module 2.7 and earlier for Perl allows remote SMB servers to execute arbitrary code via a folder name containing shell metacharacters. ', 'distribution' => 'Filesys-SmbClientParser', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Filesys-SmbClientParser-2008-3285', 'references' => [ 'http://www.securityfocus.com/bid/30290', @@ -29829,12 +30531,16 @@ sub db { 'GBrowse' => { 'advisories' => [ { - 'affected_versions' => '<2.56', + 'affected_versions' => [ + '<2.56' + ], 'cves' => [], 'description' => 'An attacker is able to delete other users\' accounts. No httponly cookie flag. Cross-site scripting vulnerability in generation of citation text. ', 'distribution' => 'GBrowse', - 'fixed_versions' => '>=2.56', + 'fixed_versions' => [ + '>=2.56' + ], 'id' => 'CPANSA-GBrowse-2017-01', 'references' => [ 'https://metacpan.org/changes/distribution/GBrowse' @@ -29842,12 +30548,16 @@ sub db { 'reported' => '2017-01-15' }, { - 'affected_versions' => '<1.62', + 'affected_versions' => [ + '<1.62' + ], 'cves' => [], 'description' => 'Cross-site scripting. ', 'distribution' => 'GBrowse', - 'fixed_versions' => '>=1.62', + 'fixed_versions' => [ + '>=1.62' + ], 'id' => 'CPANSA-GBrowse-2004-01', 'references' => [ 'https://metacpan.org/changes/distribution/GBrowse' @@ -29855,12 +30565,16 @@ sub db { 'reported' => '2004-04-05' }, { - 'affected_versions' => '<1.54', + 'affected_versions' => [ + '<1.54' + ], 'cves' => [], 'description' => 'Path traversal. ', 'distribution' => 'GBrowse', - 'fixed_versions' => '>=1.54', + 'fixed_versions' => [ + '>=1.54' + ], 'id' => 'CPANSA-GBrowse-2003-01', 'references' => [ 'https://metacpan.org/changes/distribution/GBrowse' @@ -30187,14 +30901,18 @@ sub db { 'GD' => { 'advisories' => [ { - 'affected_versions' => '<2.72', + 'affected_versions' => [ + '<2.72' + ], 'cves' => [ 'CVE-2019-6977' ], 'description' => 'gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data. ', 'distribution' => 'GD', - 'fixed_versions' => '>=2.72', + 'fixed_versions' => [ + '>=2.72' + ], 'id' => 'CPANSA-GD-2019-6977', 'references' => [ 'https://nvd.nist.gov/vuln/detail/CVE-2019-6977', @@ -30669,14 +31387,16 @@ sub db { 'GPIB' => { 'advisories' => [ { - 'affected_versions' => undef, + 'affected_versions' => [ + '>0' + ], 'cves' => [ 'CVE-2006-1565' ], 'description' => 'Untrusted search path vulnerability in libgpib-perl 3.2.06-2 in Debian GNU/Linux includes an RPATH value under the /tmp/buildd directory for the LinuxGpib.so module, which might allow local users to gain privileges by installing malicious libraries in that directory. ', 'distribution' => 'GPIB', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-GPIB-2006-1565', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359239', @@ -30698,14 +31418,18 @@ sub db { 'Galileo' => { 'advisories' => [ { - 'affected_versions' => '<0.043', + 'affected_versions' => [ + '<0.043' + ], 'cves' => [ 'CVE-2019-7410' ], 'description' => 'There is stored cross site scripting (XSS) in Galileo CMS v0.042. Remote authenticated users could inject arbitrary web script or HTML via $page_title in /lib/Galileo/files/templates/page/show.html.ep (aka the PAGE TITLE Field). ', 'distribution' => 'Galileo', - 'fixed_versions' => '>=0.043', + 'fixed_versions' => [ + '>=0.043' + ], 'id' => 'CPANSA-Galileo-2019-7410', 'references' => [ 'https://metamorfosec.com/Files/Commits/METC-2020-002-Escape_banner_in_Galileo_CMS_v0.042.txt', @@ -30896,14 +31620,16 @@ sub db { 'GitLab-API-v4' => { 'advisories' => [ { - 'affected_versions' => '>=0.26', + 'affected_versions' => [ + '>=0.26' + ], 'cves' => [ 'CVE-2023-31485' ], 'description' => 'GitLab::API::v4 is missing the verify_SSL=>1 flag in HTTP::Tiny, allowing a network attacker to MITM connections to the GitLab server. ', 'distribution' => 'GitLab-API-v4', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-GitLab-API-v4-2023-31485', 'references' => [ 'https://github.com/bluefeet/GitLab-API-v4/pull/57', @@ -31029,12 +31755,16 @@ sub db { 'Graphics-ColorNames' => { 'advisories' => [ { - 'affected_versions' => '>=2.0_01,<=3.1.2', + 'affected_versions' => [ + '>=2.0_01,<=3.1.2' + ], 'cves' => [], 'description' => 'A specially-named file may lead to HTML injection attacks. ', 'distribution' => 'Graphics-ColorNames', - 'fixed_versions' => '>3.1.2', + 'fixed_versions' => [ + '>3.1.2' + ], 'id' => 'CPANSA-Graphics-ColorNames-2010-02', 'references' => [ 'https://metacpan.org/changes/distribution/Graphics-ColorNames', @@ -31246,14 +31976,16 @@ sub db { 'HTML-EP' => { 'advisories' => [ { - 'affected_versions' => '>=0.2011', + 'affected_versions' => [ + '>=0.2011' + ], 'cves' => [ 'CVE-2012-6142' ], 'description' => 'HTML::EP::Session::Cookie in the HTML::EP module 0.2011 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized. ', 'distribution' => 'HTML-EP', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-HTML-EP-2012-6142', 'references' => [ 'http://www.securityfocus.com/bid/59833', @@ -31423,14 +32155,16 @@ sub db { 'HTML-Parser' => { 'advisories' => [ { - 'affected_versions' => '<3.63', + 'affected_versions' => [ + '<3.63' + ], 'cves' => [ 'CVE-2009-3627' ], 'description' => 'The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character. ', 'distribution' => 'HTML-Parser', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-HTML-Parser-2009-3627', 'references' => [ 'https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225', @@ -31865,12 +32599,16 @@ sub db { 'HTML-Perlinfo' => { 'advisories' => [ { - 'affected_versions' => '<1.52', + 'affected_versions' => [ + '<1.52' + ], 'cves' => [], 'description' => 'Possibility of denial-of-service attack. ', 'distribution' => 'HTML-Perlinfo', - 'fixed_versions' => '>=1.52', + 'fixed_versions' => [ + '>=1.52' + ], 'id' => 'CPANSA-HTML-Perlinfo-2008-01', 'references' => [ 'https://metacpan.org/changes/release/ACCARDO/HTML-Perlinfo-1.52' @@ -32037,14 +32775,18 @@ sub db { 'HTML-Scrubber' => { 'advisories' => [ { - 'affected_versions' => '<0.15', + 'affected_versions' => [ + '<0.15' + ], 'cves' => [ 'CVE-2015-5667' ], 'description' => 'Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment. ', 'distribution' => 'HTML-Scrubber', - 'fixed_versions' => '>=0.15', + 'fixed_versions' => [ + '>=0.15' + ], 'id' => 'CPANSA-HTML-Scrubber-2015-5667', 'references' => [ 'http://jvn.jp/en/jp/JVN53973084/index.html', @@ -32137,14 +32879,16 @@ sub db { 'HTML-StripScripts' => { 'advisories' => [ { - 'affected_versions' => '<=1.06', + 'affected_versions' => [ + '<=1.06' + ], 'cves' => [ 'CVE-2023-24038' ], 'description' => 'The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes. ', 'distribution' => 'HTML-StripScripts', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-HTML-StripScripts-2023-24038', 'references' => [ 'https://github.com/clintongormley/perl-html-stripscripts/issues/3', @@ -32214,14 +32958,18 @@ sub db { 'HTML-Template-Pro' => { 'advisories' => [ { - 'affected_versions' => '<0.9507', + 'affected_versions' => [ + '<0.9507' + ], 'cves' => [ 'CVE-2011-4616' ], 'description' => 'Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module before 0.9507 for Perl allows remote attackers to inject arbitrary web script or HTML via template parameters, related to improper handling of > (greater than) and < (less than) characters. ', 'distribution' => 'HTML-Template-Pro', - 'fixed_versions' => '>=0.9507', + 'fixed_versions' => [ + '>=0.9507' + ], 'id' => 'CPANSA-HTML-Template-Pro-2011-4616', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652587', @@ -32505,14 +33253,18 @@ sub db { 'HTTP-Body' => { 'advisories' => [ { - 'affected_versions' => '>=1.08,<1.23', + 'affected_versions' => [ + '>=1.08,<1.23' + ], 'cves' => [ 'CVE-2013-4407' ], 'description' => 'HTTP::Body::Multipart in the HTTP-Body 1.08, 1.22, and earlier module for Perl uses the part of the uploaded file\'s name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed. ', 'distribution' => 'HTTP-Body', - 'fixed_versions' => '>=1.23', + 'fixed_versions' => [ + '>=1.23' + ], 'id' => 'CPANSA-HTTP-Body-2013-4407', 'references' => [ 'https://www.openwall.com/lists/oss-security/2024/04/07/1', @@ -32658,14 +33410,18 @@ sub db { 'HTTP-Daemon' => { 'advisories' => [ { - 'affected_versions' => '<6.15', + 'affected_versions' => [ + '<6.15' + ], 'cves' => [ 'CVE-2022-31081' ], 'description' => 'HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the \'Content-Length\' (`my $cl = $rqst->header(\'Content-Length\')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of \'Content-Length\' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rejected. ', 'distribution' => 'HTTP-Daemon', - 'fixed_versions' => '>=6.15', + 'fixed_versions' => [ + '>=6.15' + ], 'id' => 'CPANSA-HTTP-Daemon-2022-31081', 'references' => [ 'https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2', @@ -32757,12 +33513,16 @@ sub db { 'HTTP-Session2' => { 'advisories' => [ { - 'affected_versions' => '<1.10', + 'affected_versions' => [ + '<1.10' + ], 'cves' => [], 'description' => 'HTTP::Session2 1.10 does not validate session id, this causes RCE depending on the session store you use. ', 'distribution' => 'HTTP-Session2', - 'fixed_versions' => '>=1.10', + 'fixed_versions' => [ + '>=1.10' + ], 'id' => 'CPANSA-HTTP-Session2-2018-01', 'references' => [ 'https://metacpan.org/changes/distribution/HTTP-Session2', @@ -32843,18 +33603,19 @@ sub db { 'HTTP-Tiny' => { 'advisories' => [ { - 'affected_versions' => '<0.083', + 'affected_versions' => [ + '<0.083' + ], 'cves' => [ 'CVE-2023-31486' ], - 'description' => 'HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available standalone -on CPAN, does not verify TLS certs by default. Users must opt-in with the -verify_SSL=>1 flag to verify certs when using HTTPS. -Resulting in a CWE-1188: Insecure Default Initialization of Resource -weakness. + 'description' => 'HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available standalone on CPAN, does not verify TLS certs by default. Users must opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS. +Resulting in a CWE-1188: Insecure Default Initialization of Resource weakness. ', 'distribution' => 'HTTP-Tiny', - 'fixed_versions' => '>=0.083', + 'fixed_versions' => [ + '>=0.083' + ], 'id' => 'CPANSA-HTTP-Tiny-2023-31486', 'references' => [ 'https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/', @@ -32872,14 +33633,18 @@ weakness. 'reported' => '2023-02-14' }, { - 'affected_versions' => '<0.059', + 'affected_versions' => [ + '<0.059' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Loading modules from . (current directory). ', 'distribution' => 'HTTP-Tiny', - 'fixed_versions' => '>=0.059', + 'fixed_versions' => [ + '>=0.059' + ], 'id' => 'CPANSA-HTTP-Tiny-2016-1238', 'references' => [ 'https://metacpan.org/changes/distribution/HTTP-Tiny', @@ -32888,12 +33653,16 @@ weakness. 'reported' => '2016-07-29' }, { - 'affected_versions' => '<0.039', + 'affected_versions' => [ + '<0.039' + ], 'cves' => [], 'description' => 'Temporary file creating during mirror() not opened exclusively. ', 'distribution' => 'HTTP-Tiny', - 'fixed_versions' => '>=0.039', + 'fixed_versions' => [ + '>=0.039' + ], 'id' => 'CPANSA-HTTP-Tiny-2013-01', 'references' => [ 'https://metacpan.org/dist/HTTP-Tiny/changes' @@ -33232,14 +34001,18 @@ weakness. 'IO-Compress' => { 'advisories' => [ { - 'affected_versions' => '<2.070', + 'affected_versions' => [ + '<2.070' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => '(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'IO-Compress', - 'fixed_versions' => '>=2.070', + 'fixed_versions' => [ + '>=2.070' + ], 'id' => 'CPANSA-IO-Compress-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -34810,14 +35583,18 @@ weakness. 'IPC-Cmd' => { 'advisories' => [ { - 'affected_versions' => '<0.96', + 'affected_versions' => [ + '<0.96' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => '(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'IPC-Cmd', - 'fixed_versions' => '>=0.96', + 'fixed_versions' => [ + '>=0.96' + ], 'id' => 'CPANSA-IPC-Cmd-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -35096,7 +35873,9 @@ weakness. 'description' => 'INADDR_ANY can be your external ip, IPC::Run should only listen on localhost. ', 'distribution' => 'IPC-Run', - 'fixed_versions' => '>=0.90', + 'fixed_versions' => [ + '>=0.90' + ], 'id' => 'CPANSA-IPC-Run-2009-01', 'references' => [ 'https://metacpan.org/dist/IPC-Run/changes', @@ -35364,14 +36143,16 @@ weakness. 'IPTables-Parse' => { 'advisories' => [ { - 'affected_versions' => '<1.6', + 'affected_versions' => [ + '<1.6' + ], 'cves' => [ 'CVE-2015-8326' ], 'description' => 'The IPTables-Parse module before 1.6 for Perl allows local users to write to arbitrary files owned by the current user. ', 'distribution' => 'IPTables-Parse', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-IPTables-Parse-2015-8326', 'references' => [ 'https://metacpan.org/source/MRASH/IPTables-Parse-1.6/Changes', @@ -35434,14 +36215,18 @@ weakness. 'Image-ExifTool' => { 'advisories' => [ { - 'affected_versions' => '<=12.37', + 'affected_versions' => [ + '<=12.37' + ], 'cves' => [ 'CVE-2022-23935' ], 'description' => 'lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\\|$/ check, leading to command injection. ', 'distribution' => 'Image-ExifTool', - 'fixed_versions' => '>12.38', + 'fixed_versions' => [ + '>12.38' + ], 'id' => 'CPANSA-Image-ExifTool-2022-23935', 'references' => [ 'https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582', @@ -35451,17 +36236,20 @@ weakness. 'severity' => 'critical' }, { - 'affected_versions' => '>=7.44,<=12.23', + 'affected_versions' => [ + '>=7.44,<=12.23' + ], 'cves' => [ 'CVE-2021-22204' ], 'description' => 'Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image ', 'distribution' => 'Image-ExifTool', - 'fixed_versions' => '>12.23', + 'fixed_versions' => [ + '>12.23' + ], 'id' => 'CPANSA-Image-ExifTool-2021-22204', 'references' => [ - 'https://rt.cpan.org/Public/Bug/Display.html?id=>=7.44,<=12.23', 'http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html', 'http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html', 'http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html', @@ -35481,14 +36269,18 @@ weakness. 'severity' => undef }, { - 'affected_versions' => '=8.32', + 'affected_versions' => [ + '=8.32' + ], 'cves' => [ 'CVE-2018-20211' ], 'description' => 'ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\\\\par-%username%\\\\cache-exiftool-8.32 folder with a victim\'s username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015). ', 'distribution' => 'Image-ExifTool', - 'fixed_versions' => '>8', + 'fixed_versions' => [ + '>8' + ], 'id' => 'CPANSA-Image-ExifTool-2018-20211', 'references' => [ 'http://packetstormsecurity.com/files/150892/Exiftool-8.3.2.0-DLL-Hijacking.html', @@ -35893,14 +36685,16 @@ weakness. 'Image-Info' => { 'advisories' => [ { - 'affected_versions' => '>=2.12', + 'affected_versions' => [ + '>=2.12' + ], 'cves' => [ 'CVE-2016-9181' ], 'description' => 'perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could cause denial of service or, potentially, information disclosure. ', 'distribution' => 'Image-Info', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Image-Info-2016-01', 'references' => [ 'http://www.securityfocus.com/bid/94220', @@ -36240,14 +37034,18 @@ weakness. 'Imager' => { 'advisories' => [ { - 'affected_versions' => '<1.006', + 'affected_versions' => [ + '<1.006' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Imager would search the default current directory entry in @INC when searching for file format support modules. ', 'distribution' => 'Imager', - 'fixed_versions' => '>=1.006', + 'fixed_versions' => [ + '>=1.006' + ], 'id' => 'CPANSA-Imager-2016-1238', 'references' => [ 'https://metacpan.org/dist/Imager/changes', @@ -36278,14 +37076,18 @@ weakness. 'severity' => 'high' }, { - 'affected_versions' => '>=0.42,<=0.63', + 'affected_versions' => [ + '>=0.42,<=0.63' + ], 'cves' => [ 'CVE-2008-1928' ], 'description' => 'Buffer overflow in Imager 0.42 through 0.63 allows attackers to cause a denial of service (crash) via an image based fill in which the number of input channels is different from the number of output channels. ', 'distribution' => 'Imager', - 'fixed_versions' => '>=0.64', + 'fixed_versions' => [ + '>=0.64' + ], 'id' => 'CPANSA-Imager-2008-1928', 'references' => [ 'https://metacpan.org/dist/Imager/changes', @@ -36309,14 +37111,18 @@ weakness. 'severity' => undef }, { - 'affected_versions' => '>=0.21,<=0.56', + 'affected_versions' => [ + '>=0.21,<=0.56' + ], 'cves' => [ 'CVE-2007-2459' ], 'description' => 'Heap-based buffer overflow in the BMP reader (bmp.c) in Imager perl module (libimager-perl) 0.45 through 0.56 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted 8-bit/pixel compressed BMP files. ', 'distribution' => 'Imager', - 'fixed_versions' => '>=0.57', + 'fixed_versions' => [ + '>=0.57' + ], 'id' => 'CPANSA-Imager-2007-2459', 'references' => [ 'http://imager.perl.org/a/65.html', @@ -36342,12 +37148,16 @@ weakness. 'severity' => undef }, { - 'affected_versions' => '<0.98', + 'affected_versions' => [ + '<0.98' + ], 'cves' => [], 'description' => 'When drawing on an image with an alpha channel where the source minimum is greater than zero, Imager would read from beyond the end of a malloc() allocated buffer. In rare circumstances this could lead to some of the source image not being written to the target image, or possibly to a segmentation fault. ', 'distribution' => 'Imager', - 'fixed_versions' => '>=0.98', + 'fixed_versions' => [ + '>=0.98' + ], 'id' => 'CPANSA-Imager-2014-01', 'references' => [ 'https://metacpan.org/dist/Imager/changes' @@ -36919,12 +37729,16 @@ weakness. 'Jifty' => { 'advisories' => [ { - 'affected_versions' => '<1.10518', + 'affected_versions' => [ + '<1.10518' + ], 'cves' => [], 'description' => 'The path as passed in the fragment request data structure was used verbatim in the dispatcher and other locations. This possibly allowed requests to walk around ACLs by requesting \'/some/safe/place/../../../dangerous\' as a fragment. ', 'distribution' => 'Jifty', - 'fixed_versions' => '>=1.10518', + 'fixed_versions' => [ + '>=1.10518' + ], 'id' => 'CPANSA-Jifty-2011-01', 'references' => [ 'https://metacpan.org/dist/Jifty/changes' @@ -36932,12 +37746,16 @@ weakness. 'reported' => '2011-03-17' }, { - 'affected_versions' => '<0.90409', + 'affected_versions' => [ + '<0.90409' + ], 'cves' => [], 'description' => 'The REST plugin would let you call any method on the model. ', 'distribution' => 'Jifty', - 'fixed_versions' => '>=0.90409', + 'fixed_versions' => [ + '>=0.90409' + ], 'id' => 'CPANSA-Jifty-2009-01', 'references' => [ 'https://metacpan.org/dist/Jifty/changes' @@ -36945,12 +37763,16 @@ weakness. 'reported' => '2009-04-09' }, { - 'affected_versions' => '<0.70408', + 'affected_versions' => [ + '<0.70408' + ], 'cves' => [], 'description' => 'Allowed all actions on GET. ', 'distribution' => 'Jifty', - 'fixed_versions' => '>=0.80408', + 'fixed_versions' => [ + '>=0.80408' + ], 'id' => 'CPANSA-Jifty-2008-01', 'references' => [ 'https://metacpan.org/dist/Jifty/changes' @@ -36958,12 +37780,16 @@ weakness. 'reported' => '2009-04-08' }, { - 'affected_versions' => '<0.60706', + 'affected_versions' => [ + '<0.60706' + ], 'cves' => [], 'description' => 'Jifty did not protect users against a class of remote data access vulnerability. If an attacker knew the structure of your local filesystem and you were using the "standalone" webserver in production, the attacker could gain read only access to local files. ', 'distribution' => 'Jifty', - 'fixed_versions' => '>=0.60706', + 'fixed_versions' => [ + '>=0.60706' + ], 'id' => 'CPANSA-Jifty-2006-01', 'references' => [ 'https://metacpan.org/dist/Jifty/changes' @@ -37102,12 +37928,16 @@ weakness. 'Jifty-DBI' => { 'advisories' => [ { - 'affected_versions' => '<0.68', + 'affected_versions' => [ + '<0.68' + ], 'cves' => [], 'description' => 'SQL injection in column names, operators, order and group by. ', 'distribution' => 'Jifty-DBI', - 'fixed_versions' => '>=0.68', + 'fixed_versions' => [ + '>=0.68' + ], 'id' => 'CPANSA-Jifty-DBI-2011-01', 'references' => [ 'https://metacpan.org/dist/Jifty-DBI/changes', @@ -37331,12 +38161,16 @@ weakness. 'Kelp' => { 'advisories' => [ { - 'affected_versions' => '<0.9001', + 'affected_versions' => [ + '<0.9001' + ], 'cves' => [], 'description' => 'X-Real-IP, X-Forwarded-Host and X-Remote-User headers were trusted and used in Kelp::Request ', 'distribution' => 'Kelp', - 'fixed_versions' => '>=0.9001', + 'fixed_versions' => [ + '>=0.9001' + ], 'id' => 'CPANSA-Kelp-2014-01', 'references' => [ 'https://metacpan.org/dist/Kelp/changes', @@ -37607,14 +38441,18 @@ weakness. 'Kossy' => { 'advisories' => [ { - 'affected_versions' => '<0.60', + 'affected_versions' => [ + '<0.60' + ], 'cves' => [ 'CVE-2021-47157' ], 'description' => 'Flaw in defense from JSON hijacking. ', 'distribution' => 'Kossy', - 'fixed_versions' => '>=0.60', + 'fixed_versions' => [ + '>=0.60' + ], 'id' => 'CPANSA-Kossy-2021-01', 'references' => [ 'https://github.com/kazeburo/Kossy/pull/16', @@ -37791,12 +38629,16 @@ weakness. 'LWP-Protocol-Net-Curl' => { 'advisories' => [ { - 'affected_versions' => '<0.009', + 'affected_versions' => [ + '<0.009' + ], 'cves' => [], 'description' => 'Misconfiguration with libcurl v7.28.1 causes a HTTPS validation issues. ', 'distribution' => 'LWP-Protocol-Net-Curl', - 'fixed_versions' => '>=0.009', + 'fixed_versions' => [ + '>=0.009' + ], 'id' => 'CPANSA-LWP-Protocol-Net-Curl-2012-01', 'references' => [ 'https://metacpan.org/changes/distribution/LWP-Protocol-Net-Curl', @@ -37916,14 +38758,16 @@ weakness. 'LWP-Protocol-https' => { 'advisories' => [ { - 'affected_versions' => '>=6.04,<=6.06', + 'affected_versions' => [ + '>=6.04,<=6.06' + ], 'cves' => [ 'CVE-2014-3230' ], 'description' => 'The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable. ', 'distribution' => 'LWP-Protocol-https', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-LWP-Protocol-https-2014-3230', 'references' => [ 'http://www.openwall.com/lists/oss-security/2014/05/04/1', @@ -37991,12 +38835,16 @@ weakness. 'Lemonldap-NG-Portal' => { 'advisories' => [ { - 'affected_versions' => '<0.87', + 'affected_versions' => [ + '<0.87' + ], 'cves' => [], 'description' => 'When running on Apache with thread support setMacros and setGroups were not launched with the good datas. ', 'distribution' => 'Lemonldap-NG-Portal', - 'fixed_versions' => '>=0.87', + 'fixed_versions' => [ + '>=0.87' + ], 'id' => 'CPANSA-Lemonldap-NG-Portal-2009-01', 'references' => [ 'https://metacpan.org/changes/distribution/Lemonldap-NG-Portal' @@ -38479,14 +39327,16 @@ weakness. 'Locale-Maketext' => { 'advisories' => [ { - 'affected_versions' => '<1.25', + 'affected_versions' => [ + '<1.25' + ], 'cves' => [ 'CVE-2012-6329' ], 'description' => 'The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6. ', 'distribution' => 'Locale-Maketext', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Locale-Maketext-2012-6329', 'references' => [ 'http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8', @@ -38511,14 +39361,18 @@ weakness. 'severity' => undef }, { - 'affected_versions' => '<1.28', + 'affected_versions' => [ + '<1.28' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => 'Does not remove . from @INC, which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'Locale-Maketext', - 'fixed_versions' => '>=1.28', + 'fixed_versions' => [ + '>=1.28' + ], 'id' => 'CPANSA-Locale-Maketext-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -38704,12 +39558,16 @@ weakness. 'Log-Any' => { 'advisories' => [ { - 'affected_versions' => '>=1.712,<=1.715', + 'affected_versions' => [ + '>=1.712,<=1.715' + ], 'cves' => [], 'description' => 'The WithStackTrace proxy may expose sensitive information ', 'distribution' => 'Log-Any', - 'fixed_versions' => '1.716', + 'fixed_versions' => [ + '1.716' + ], 'id' => 'CPANSA-Log-Any-2023-001', 'references' => [ 'https://metacpan.org/dist/Log-Any/changes', @@ -38958,14 +39816,16 @@ weakness. 'MARC-File-XML' => { 'advisories' => [ { - 'affected_versions' => '<1.0.2', + 'affected_versions' => [ + '<1.0.2' + ], 'cves' => [ 'CVE-2014-1626' ], 'description' => 'XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file. ', 'distribution' => 'MARC-File-XML', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MARC-File-XML-2014-1626', 'references' => [ 'http://www.securityfocus.com/bid/65057', @@ -39003,7 +39863,7 @@ weakness. 'description' => 'perl-MDK-Common 1.1.11 and 1.1.24, 1.2.9 through 1.2.14, and possibly other versions, in Mandriva Linux does not properly handle strings when writing them to configuration files, which allows attackers to gain privileges via "special characters" in unspecified vectors.\' ', 'distribution' => 'MDK-Common', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MDK-Common-2009-0912', 'references' => [ 'http://www.securityfocus.com/bid/34089', @@ -39050,14 +39910,18 @@ weakness. 'MHonArc' => { 'advisories' => [ { - 'affected_versions' => '<2.6.17', + 'affected_versions' => [ + '<2.6.17' + ], 'cves' => [ 'CVE-2010-4524' ], 'description' => 'Improper escaping of certain HTML sequences (XSS). ', 'distribution' => 'MHonArc', - 'fixed_versions' => '>=2.6.17', + 'fixed_versions' => [ + '>=2.6.17' + ], 'id' => 'CPANSA-MHonArc-2011-01', 'references' => [ 'https://metacpan.org/changes/distribution/MHonArc' @@ -39065,14 +39929,18 @@ weakness. 'reported' => '2011-01-09' }, { - 'affected_versions' => '<2.6.17', + 'affected_versions' => [ + '<2.6.17' + ], 'cves' => [ 'CVE-2010-1677' ], 'description' => 'DoS when processing html messages with deep tag nesting. ', 'distribution' => 'MHonArc', - 'fixed_versions' => '>=2.6.17', + 'fixed_versions' => [ + '>=2.6.17' + ], 'id' => 'CPANSA-MHonArc-2011-02', 'references' => [ 'https://metacpan.org/changes/distribution/MHonArc' @@ -39323,12 +40191,16 @@ weakness. 'MIME-tools' => { 'advisories' => [ { - 'affected_versions' => '<4.109', + 'affected_versions' => [ + '<4.109' + ], 'cves' => [], 'description' => 'There was a potential security hole when outputting entities with recommended filenames. ', 'distribution' => 'MIME-tools', - 'fixed_versions' => '>=4.109', + 'fixed_versions' => [ + '>=4.109' + ], 'id' => 'CPANSA-MIME-tools-1998-01', 'references' => [ 'https://metacpan.org/dist/MIME-tools/changes' @@ -39658,7 +40530,7 @@ weakness. 'description' => 'lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2013-0209', 'references' => [ 'http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txt', @@ -39707,7 +40579,7 @@ weakness. 'description' => 'Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20837', 'references' => [ 'https://jvn.jp/en/jp/JVN41119755/index.html', @@ -39729,7 +40601,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20814', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -39749,7 +40621,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20813', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -39770,7 +40642,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Edit Boilerplate screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20815', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -39791,7 +40663,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20811', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -39812,7 +40684,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20810', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -39833,7 +40705,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20809', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -39854,7 +40726,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20808', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -39864,7 +40736,9 @@ weakness. 'severity' => 'medium' }, { - 'affected_versions' => undef, + 'affected_versions' => [ + '<=1.37' + ], 'cves' => [ 'CVE-2020-5669' ], @@ -39872,7 +40746,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2020-5669', 'references' => [ 'https://www.sixapart.jp/movabletype/news/2020/11/18-1101.html', @@ -39893,7 +40767,7 @@ weakness. 'description' => 'Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allow remote authenticated attackers to upload arbitrary files and execute a php script via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2020-5577', 'references' => [ 'https://jvn.jp/en/jp/JVN28806943/index.html', @@ -39914,7 +40788,7 @@ weakness. 'description' => 'Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to hijack the authentication of administrators via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2020-5576', 'references' => [ 'https://jvn.jp/en/jp/JVN28806943/index.html', @@ -39935,7 +40809,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2020-5575', 'references' => [ 'https://jvn.jp/en/jp/JVN28806943/index.html', @@ -39956,7 +40830,7 @@ weakness. 'description' => 'HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2020-5574', 'references' => [ 'https://jvn.jp/en/jp/JVN28806943/index.html', @@ -39977,7 +40851,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)) allows remote attackers to inject arbitrary web script or HTML in the block editor and the rich text editor via a specially crafted URL. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2020-5528', 'references' => [ 'https://movabletype.org/news/2020/02/movable_type_r4605_v720_v653_and_v6311_released.html', @@ -39999,7 +40873,7 @@ weakness. 'description' => 'Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2019-6025', 'references' => [ 'https://movabletype.org/news/2019/11/movable_type_r4603_v714_v652_and_v6310_released.html', @@ -40019,7 +40893,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2018-0672', 'references' => [ 'http://jvn.jp/en/jp/JVN89550319/index.html' @@ -40040,7 +40914,7 @@ weakness. 'description' => 'SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2016-5742', 'references' => [ 'https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html', @@ -40064,7 +40938,7 @@ weakness. 'description' => 'Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2015-1592', 'references' => [ 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html', @@ -40091,7 +40965,7 @@ weakness. 'description' => 'SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2014-9057', 'references' => [ 'https://movabletype.org/news/2014/12/6.0.6.html', @@ -40113,7 +40987,7 @@ weakness. 'description' => 'Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2013-2184', 'references' => [ 'https://movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html', @@ -40135,7 +41009,7 @@ weakness. 'description' => 'Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2012-1503', 'references' => [ 'http://www.cloudscan.me/2012/10/cve-2012-1503-movable-type-pro-513en.html', @@ -40161,7 +41035,7 @@ weakness. 'description' => 'Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via unspecified vectors related to the (1) commenting feature and (2) community script. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2012-0320', 'references' => [ 'http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html', @@ -40188,7 +41062,7 @@ weakness. 'description' => 'Multiple cross-site request forgery (CSRF) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to hijack the authentication of arbitrary users for requests that modify data via the (1) commenting feature or (2) community script. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2012-0317', 'references' => [ 'http://jvn.jp/en/jp/JVN70683217/index.html', @@ -40214,7 +41088,7 @@ weakness. 'description' => 'Unspecified vulnerability in Movable Type 4.x before 4.36 and 5.x before 5.05 allows remote attackers to read or modify data via unknown vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2011-5085', 'references' => [ 'http://www.movabletype.org/2011/05/movable_type_51_and_505_436_security_update.html', @@ -40235,7 +41109,7 @@ weakness. 'description' => 'Cross-site scripting (XSS) vulnerability in Movable Type 4.x before 4.36 and 5.x before 5.05 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2011-5084', 'references' => [ 'http://www.movabletype.org/2011/05/movable_type_51_and_505_436_security_update.html', @@ -40255,7 +41129,7 @@ weakness. 'description' => 'Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in Six Apart Movable Type 5.0 and 5.01 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2010-1985', 'references' => [ 'http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000017.html', @@ -40279,7 +41153,7 @@ weakness. 'description' => 'Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart Movable Type before 4.261 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2009-2480. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2009-2492', 'references' => [ 'http://jvn.jp/en/jp/JVN86472161/index.html', @@ -40302,7 +41176,7 @@ weakness. 'description' => 'mt-wizard.cgi in Six Apart Movable Type before 4.261, when global templates are not initialized, allows remote attackers to bypass access restrictions and (1) send e-mail to arbitrary addresses or (2) obtain sensitive information via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2009-2481', 'references' => [ 'http://jvn.jp/en/jp/JVN08369659/index.html', @@ -40326,7 +41200,7 @@ weakness. 'description' => 'Unspecified vulnerability in Movable Type Pro and Community Solution 4.x before 4.24 has unknown impact and attack vectors, possibly related to the password recovery mechanism. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2009-0752', 'references' => [ 'http://www.movabletype.com/blog/2009/02/movable-type-424-get-updated-with-better-password-recovery.html' @@ -40345,7 +41219,7 @@ weakness. 'description' => 'Six Apart Movable Type (MT) before 4.23 allows remote authenticated users with create permission for posts to bypass intended access restrictions and publish posts via a "system-wide entry listing screen." ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2008-5846', 'references' => [ 'http://www.movabletype.org/mt_423_change_log.html', @@ -40366,7 +41240,7 @@ weakness. 'description' => 'Multiple cross-site scripting (XSS) vulnerabilities in Six Apart Movable Type (MT) before 4.23 allow remote attackers to inject arbitrary web script or HTML via a (1) MTEntryAuthorUsername, (2) MTAuthorDisplayName, (3) MTEntryAuthorDisplayName, or (4) MTCommenterName field in a Profile View template; a (5) listing screen or (6) edit screen in the CMS app; (7) a TrackBack title, related to the HTML sanitization library; or (8) a user archive name (aka archive title) on a published Community Blog template. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2008-5845', 'references' => [ 'http://www.movabletype.org/mt_423_change_log.html', @@ -40388,7 +41262,7 @@ weakness. 'description' => 'Cross-site scripting (XSS) vulnerability in Six Apart Movable Type Enterprise (MTE) 1.x before 1.56; Movable Type (MT) 3.x before 3.38; and Movable Type, Movable Type Open Source (MTOS), and Movable Type Enterprise 4.x before 4.23 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to "application management." ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2008-5808', 'references' => [ 'http://secunia.com/advisories/32935', @@ -40412,7 +41286,7 @@ weakness. 'description' => 'Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2021-20812', 'references' => [ 'https://movabletype.org/news/2021/08/mt-780-681-released.html', @@ -40432,7 +41306,7 @@ weakness. 'description' => 'Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of \'Manage of Content Types\' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier. ', 'distribution' => 'MT', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-MT-2022-43660', 'references' => [ 'https://movabletype.org/news/2022/11/mt-796-688-released.html', @@ -40446,14 +41320,16 @@ weakness. 'Mail-Audit' => { 'advisories' => [ { - 'affected_versions' => undef, + 'affected_versions' => [ + '>0' + ], 'cves' => [ 'CVE-2005-4536' ], 'description' => 'Mail::Audit module in libmail-audit-perl 2.1-5, when logging is enabled without a default log file specified, uses predictable log filenames, which allows local users to overwrite arbitrary files via a symlink attack on the [PID]-audit.log temporary file. ', 'distribution' => 'Mail-Audit', - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Mail-Audit-2005-4536', 'references' => [ 'http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344029', @@ -40639,14 +41515,18 @@ weakness. 'MailTools' => { 'advisories' => [ { - 'affected_versions' => '<1.51', + 'affected_versions' => [ + '<1.51' + ], 'cves' => [ 'CVE-2002-1271' ], 'description' => 'The Mail::Mailer Perl module in the perl-MailTools package 1.47 and earlier uses mailx as the default mailer, which allows remote attackers to execute arbitrary commands by inserting them into the mail body, which is then processed by mailx. ', 'distribution' => 'MailTools', - 'fixed_versions' => '>=1.51', + 'fixed_versions' => [ + '>=1.51' + ], 'id' => 'CPANSA-Mail-Mailer-2002-1271', 'references' => [ 'http://www.iss.net/security_center/static/10548.php', @@ -40976,14 +41856,18 @@ weakness. 'Module-Load-Conditional' => { 'advisories' => [ { - 'affected_versions' => '<0.66', + 'affected_versions' => [ + '<0.66' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => '(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'Module-Load-Conditional', - 'fixed_versions' => '>=0.66', + 'fixed_versions' => [ + '>=0.66' + ], 'id' => 'CPANSA-Module-Load-Conditional-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -41177,14 +42061,18 @@ weakness. 'Module-Metadata' => { 'advisories' => [ { - 'affected_versions' => '<1.000015', + 'affected_versions' => [ + '<1.000015' + ], 'cves' => [ 'CVE-2013-1437' ], 'description' => 'Eval injection vulnerability in the Module-Metadata module before 1.000015 for Perl allows remote attackers to execute arbitrary Perl code via the $Version value. ', 'distribution' => 'Module-Metadata', - 'fixed_versions' => '>=1.000015', + 'fixed_versions' => [ + '>=1.000015' + ], 'id' => 'CPANSA-Module-Metadata-2013-1437', 'references' => [ 'http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114912.html', @@ -41377,14 +42265,18 @@ weakness. 'Module-Provision' => { 'advisories' => [ { - 'affected_versions' => '<0.42.1', + 'affected_versions' => [ + '<0.42.1' + ], 'cves' => [ 'CVE-2016-1238' ], 'description' => '(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. ', 'distribution' => 'Module-Provision', - 'fixed_versions' => '>=0.42.1', + 'fixed_versions' => [ + '>=0.42.1' + ], 'id' => 'CPANSA-Module-Provision-2016-1238', 'references' => [ 'http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html', @@ -41634,14 +42526,18 @@ weakness. 'Module-Signature' => { 'advisories' => [ { - 'affected_versions' => '<0.72', + 'affected_versions' => [ + '<0.72' + ], 'cves' => [ 'CVE-2013-2145' ], 'description' => 'The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a "special unknown cipher" that references an untrusted module in Digest/. ', 'distribution' => 'Module-Signature', - 'fixed_versions' => '>=0.72', + 'fixed_versions' => [ + '>=0.72' + ], 'id' => 'CPANSA-Module-Signature-2013-01', 'references' => [ 'https://metacpan.org/changes/distribution/Module-Signature' @@ -41964,7 +42860,9 @@ weakness. 'Mojo-DOM-Role-Analyzer' => { 'advisories' => [ { - 'affected_versions' => '<=0.015', + 'affected_versions' => [ + '<=0.015' + ], 'cves' => [ 'CVE-2024-38526' ], @@ -41975,7 +42873,7 @@ weakness. 'distributed_version' => undef, 'name' => 'polyfill.io' }, - 'fixed_versions' => undef, + 'fixed_versions' => [], 'id' => 'CPANSA-Mojo-DOM-Role-Analyzer-2024-38526', 'references' => [ 'https://github.com/mitmproxy/pdoc/pull/703', @@ -42032,12 +42930,16 @@ weakness. 'MojoMojo' => { 'advisories' => [ { - 'affected_versions' => '<0.999033', + 'affected_versions' => [ + '<0.999033' + ], 'cves' => [], 'description' => 'Anonymous users can delete attachments. ', 'distribution' => 'MojoMojo', - 'fixed_versions' => '>=0.999033', + 'fixed_versions' => [ + '>=0.999033' + ], 'id' => 'CPANSA-MojoMojo-2009-01', 'references' => [ 'https://metacpan.org/changes/distribution/MojoMojo', @@ -42245,12 +43147,16 @@ weakness. 'Mojolicious' => { 'advisories' => [ { - 'affected_versions' => '<9.31', + 'affected_versions' => [ + '<9.31' + ], 'cves' => [], 'description' => 'Mojo::DOM did not correctly parse