CVE-2014-10401
Description
The Perl DBI module before 1.632 allows DBD::File drivers to open files from directories other than the intended f_dir, leading to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Perl DBI module before 1.632 allows DBD::File drivers to open files from directories other than the intended f_dir, leading to information disclosure.
Vulnerability
An issue was discovered in the DBI module for Perl before version 1.632. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute. This vulnerability is documented in commit caedc0d7d602f5b2ae5efc1b00f39efeafb7b05a [1]. Affected versions include all DBI releases prior to 1.632.
Exploitation
An attacker can exploit this by connecting to a database using a DBD::File driver (such as DBD::CSV) with a crafted f_dir attribute pointing to a non-existent directory or by leveraging existing configurations where f_dir is not properly validated. The attacker does not need authentication but must be able to control the connection parameters or influence the f_dir value. The fix adds a check that the specified directory exists before allowing the connection, preventing access to unintended directories.
Impact
Successful exploitation allows an attacker to read arbitrary files from the filesystem, leading to disclosure of sensitive information. This is classified as an information disclosure vulnerability (CIA impact: confidentiality). The Ubuntu security notice [2] states that an attacker could possibly use this issue to expose sensitive information.
Mitigation
The vulnerability is fixed in DBI version 1.632, released on 9th November 2014 [1]. Users should upgrade to DBI 1.632 or later. Ubuntu issued security updates (USN-4509-1) [2] to address this issue. There is no known workaround; upgrading is the recommended mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Perl/DBI moduledescription
- Range: <1.632
- osv-coords7 versionspkg:rpm/opensuse/perl-DBI&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/perl-DBI&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/perl-DBI&distro=openSUSE%20Tumbleweedpkg:rpm/suse/perl-DBI&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/perl-DBI&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/perl-DBI&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/perl-DBI&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 1.639-lp151.3.16.1+ 6 more
- (no CPE)range: < 1.639-lp151.3.16.1
- (no CPE)range: < 1.642-lp152.2.9.1
- (no CPE)range: < 1.643-2.7
- (no CPE)range: < 1.639-3.14.1
- (no CPE)range: < 1.642-3.9.1
- (no CPE)range: < 1.628-5.9.1
- (no CPE)range: < 1.628-5.9.1
Patches
1caedc0d7d602Vulnerability mechanics
Root cause
"DBD::File drivers would open files from folders other than those specified by the f_dir attribute."
Attack vector
An attacker could exploit this vulnerability by providing a malicious f_dir attribute to the DBI connect function. This would allow the DBD::File driver to access files outside of the intended directory, potentially leading to unauthorized data access or modification. The vulnerability is triggered when the f_dir attribute points to a non-existent directory, and the driver proceeds to open files from other locations. [ref_id=1]
Affected code
The vulnerability lies within the `connect` subroutine of the DBD::File driver, specifically in how it handles the `f_dir` attribute. The original code did not adequately validate the existence of the specified directory before allowing file operations. The patch modifies this subroutine to include checks for directory existence. [ref_id=1]
What the fix does
The patch modifies the `connect` subroutine in DBD::File. It now explicitly checks if the directory specified by the `f_dir` attribute exists before proceeding. If the directory does not exist, an error is set, and the connection is aborted, preventing the driver from accessing unintended files. This change ensures that DBD::File only operates within the specified directory. [patch_id=4373475]
Preconditions
- inputThe attacker must be able to control the `f_dir` attribute passed to the DBI connect function.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- usn.ubuntu.com/4509-1/mitrevendor-advisoryx_refsource_UBUNTU
- github.com/perl5-dbi/dbi/commit/caedc0d7d602f5b2ae5efc1b00f39efeafb7b05amitrex_refsource_MISC
- metacpan.org/pod/distribution/DBI/Changesmitrex_refsource_MISC
- rt.cpan.org/Public/Bug/Display.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.