CVE-2010-2761

MEDIUM

Description

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.

References

http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735

http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html

http://openwall.com/lists/oss-security/2010/12/01/1

http://openwall.com/lists/oss-security/2010/12/01/2

http://openwall.com/lists/oss-security/2010/12/01/3

http://osvdb.org/69588

http://osvdb.org/69589

http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm

http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1

http://secunia.com/advisories/42877

http://secunia.com/advisories/43033

http://secunia.com/advisories/43068

http://secunia.com/advisories/43147

http://secunia.com/advisories/43165

http://www.bugzilla.org/security/3.2.9/

http://www.mandriva.com/security/advisories?name=MDVSA-2010:237

http://www.mandriva.com/security/advisories?name=MDVSA-2010:250

http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html

http://www.redhat.com/support/errata/RHSA-2011-1797.html

http://www.vupen.com/english/advisories/2011/0076

http://www.vupen.com/english/advisories/2011/0207

http://www.vupen.com/english/advisories/2011/0212

http://www.vupen.com/english/advisories/2011/0249

http://www.vupen.com/english/advisories/2011/0271

https://bugzilla.mozilla.org/show_bug.cgi?id=591165

https://bugzilla.mozilla.org/show_bug.cgi?id=600464

https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Details

Source: MITRE

Published: 2010-12-06

Updated: 2016-12-08

Type: CWE-94

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:a:andy_armstrong:cgi.pm:1.4:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.42:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.43:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.44:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.45:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.50:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.51:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.52:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.53:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.54:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.55:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.56:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:1.57:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.0:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.01:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.13:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.14:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.15:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.16:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.17:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.18:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.19:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.20:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.21:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.22:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.23:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.24:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.25:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.26:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.27:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.28:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.29:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.30:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.31:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.32:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.33:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.34:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.35:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.36:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.37:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.38:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.39:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.40:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.41:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.42:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.43:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.44:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.45:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.46:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.47:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.48:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.49:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.50:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.51:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.52:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.53:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.54:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.55:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.56:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.57:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.58:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.59:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.60:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.61:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.62:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.63:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.64:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.65:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.66:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.67:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.68:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.69:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.70:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.71:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.72:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.73:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.74:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.75:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.76:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.77:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.78:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.79:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.80:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.81:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.82:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.83:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.84:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.85:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.86:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.87:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.88:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.89:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.90:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.91:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.92:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.93:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.94:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.95:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.96:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.97:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.98:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.99:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.751:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:2.752:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.00:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.01:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.02:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.03:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.04:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.05:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.06:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.07:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.08:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.09:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.10:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.11:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.12:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.13:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.14:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.15:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.16:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.17:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.18:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.19:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.20:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.21:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.22:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.23:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.24:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.25:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.26:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.27:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.28:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.29:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.30:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.31:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.32:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.33:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.34:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.35:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.36:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.37:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.38:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.39:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.40:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.41:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.42:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.43:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.44:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.45:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.46:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.47:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:3.48:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi.pm:*:*:*:*:*:*:*:*

OR

cpe:2.3:a:andy_armstrong:cgi-simple:0.078:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:0.079:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:0.080:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:0.081:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:0.082:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:0.83:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.0:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.1:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.103:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.104:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.105:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.106:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.107:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.108:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.109:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.110:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:1.111:*:*:*:*:*:*:*

cpe:2.3:a:andy_armstrong:cgi-simple:*:*:*:*:*:*:*:*

Tenable Plugins

View all (23 total)

IDNameProductFamilySeverity
108026Solaris 10 (x86) : 141553-04NessusSolaris Local Security Checks
medium
107527Solaris 10 (sparc) : 141552-04NessusSolaris Local Security Checks
medium
89038VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)NessusMisc.
high
75708openSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1)NessusSuSE Local Security Checks
medium
75705openSUSE Security Update : perl (openSUSE-SU-2011:0064-1)NessusSuSE Local Security Checks
medium
68402Oracle Linux 4 / 5 : perl (ELSA-2011-1797)NessusOracle Linux Local Security Checks
high
61747VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party librariesNessusVMware ESX Local Security Checks
high
57068CentOS 4 / 5 : perl (CESA-2011:1797)NessusCentOS Local Security Checks
high
57053RHEL 4 / 5 : perl (RHSA-2011:1797)NessusRed Hat Local Security Checks
high
56445GLSA-201110-03 : Bugzilla: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
55090Ubuntu 6.06 LTS / 8.04 LTS / 10.04 LTS / 10.10 / 11.04 : perl vulnerabilities (USN-1129-1)NessusUbuntu Local Security Checks
high
54593RHEL 6 : perl (RHSA-2011:0558)NessusRed Hat Local Security Checks
medium
53790openSUSE Security Update : perl-CGI-Simple (openSUSE-SU-2011:0020-1)NessusSuSE Local Security Checks
medium
53789openSUSE Security Update : perl (openSUSE-SU-2011:0064-1)NessusSuSE Local Security Checks
medium
51856Fedora 13 : bugzilla-3.4.10-1.fc13 (2011-0755)NessusFedora Local Security Checks
high
51855Fedora 14 : bugzilla-3.6.4-1.fc14 (2011-0741)NessusFedora Local Security Checks
high
51823Fedora 14 : perl-CGI-Simple-1.113-1.fc14 (2011-0653)NessusFedora Local Security Checks
medium
51822Fedora 13 : perl-CGI-Simple-1.113-1.fc13 (2011-0631)NessusFedora Local Security Checks
medium
51670FreeBSD : bugzilla -- multiple serious vulnerabilities (c8c927e5-2891-11e0-8f26-00151735203a)NessusFreeBSD Local Security Checks
high
51641SuSE 10 Security Update : Perl (ZYPP Patch Number 7316)NessusSuSE Local Security Checks
medium
51630SuSE 11.1 Security Update : perl (SAT Patch Number 3804)NessusSuSE Local Security Checks
medium
5744Bugzilla < 3.2.10 / 3.4.10 / 3.6.4 Multiple VulnerabilitiesNessus Network MonitorCGI
medium
50609Mandriva Linux Security Advisory : perl-CGI (MDVSA-2010:237)NessusMandriva Local Security Checks
medium