Vulnerabilities Found in Perl, Owncloud, Gstreamer, Zephyr RTOS

Several recently discovered vulnerabilities:

  • In the corrective issue Perl 5.38.1 Released vulnerability (CVE-2023-47038), which can lead to a record of one byte beyond the allocated buffer when processing compiled regular expressions with incorrectly repeated internal unicode-stroke with a name starting at UTF8 :: Perl. The problem is manifested starting with the Perl 5.30 branch.
  • In addition, in Perl 5.38.1, a specific vulnerability (CVE-2023-47039) is eliminated for the Windows platform, which allows you to execute the scripts if you have the possibility of placing a CMD file in the current catalog. EXE (due to the lack of cleaning ways to search for executable files, Perl is initially trying to launch CMD.exe in the current catalog). For example, an attacker can place his CMD.exe in the C: ProgramData catalog and raise his privileges if the administrator launches perl script from this catalog.

  • In the OWNCLOUD cloud platform, from which the NextCloud project, revealed vulnerability (CVE-2023-49103), which affects the Graphapi application and allows you to determine the contents of the variables that may contain the administrator password, license key and accounting data for connecting to the mail server. The problem is caused by the use of a third-party library in Graphapi, which, among other things, is provided by the Getphpinfo.php processor, which causes the Phpinfo () function, in the withdrawal of which there are variables of the environment.
  • Two vulnerabilities were revealed in the multimedia framework Gstreamer: cve-2023-44446 – Memory appeal after its release (
/Reports, release notes, official announcements.