CVE-2023-47039: 
NixOS vulnerability analysis and mitigation

A security vulnerability (CVE-2023-47039) was discovered in Perl for Windows, affecting versions prior to 5.38.1. The vulnerability was initially reported by GitHub user ycdxsb to the Intel Product Security Incident Response Team (PSIRT), who then reported it to the Perl security team (Perl Delta, NVD).

The vulnerability stems from how Perl for Windows handles the system path environment variable when searching for the shell (cmd.exe). Due to path search order issues, when an executable using the Windows Perl interpreter attempts to find and execute cmd.exe, it first looks in the current working directory before checking system directories. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Red Hat, NetApp).

When successfully exploited, this vulnerability could lead to arbitrary code execution with elevated privileges. An attacker with limited privileges can place a malicious cmd.exe in locations with weak permissions, such as C:\ProgramData, which would then be executed when an administrator runs a Perl executable from these compromised locations (NVD, Security Online).

The vulnerability has been fixed in Perl versions 5.34.2, 5.36.2, and 5.38.1. Users are strongly advised to upgrade to these or later versions to mitigate the risk. The fix was released as part of a coordinated security response (Perl Delta, Openwall).