DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location.
The complete_table_name method builds the absolute table file path without checking whether the file is a symbolic link. A link inside the data directory can point to a table file at any path outside of the configured f_dir and f_dir_search directories.
Callers of file-based drivers can read or write files outside of the data directory.
Metrics
Affected Vendors & Products
References
History
Tue, 14 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location. The complete_table_name method builds the absolute table file path without checking whether the file is a symbolic link. A link inside the data directory can point to a table file at any path outside of the configured f_dir and f_dir_search directories. Callers of file-based drivers can read or write files outside of the data directory. | |
| Title | DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location | |
| Weaknesses | CWE-22 CWE-59 |
|
| References |
|
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-14T15:34:01.547Z
Reserved: 2026-07-10T12:52:40.335Z
Link: CVE-2026-15392
No data.
No data.
No data.
OpenCVE Enrichment
No data.