CVE-2012-5526

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.

References

http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735

http://rhn.redhat.com/errata/RHSA-2013-0685.html

http://secunia.com/advisories/51457

http://secunia.com/advisories/55314

http://www.debian.org/security/2012/dsa-2586

http://www.openwall.com/lists/oss-security/2012/11/15/6

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.securityfocus.com/bid/56562

http://www.securitytracker.com/id?1027780

http://www.ubuntu.com/usn/USN-1643-1

https://exchange.xforce.ibmcloud.com/vulnerabilities/80098

https://github.com/markstos/CGI.pm/pull/23

Details

Source: MITRE

Published: 2012-11-21

Updated: 2017-08-29

Type: CWE-16

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:andy_armstrong:cgi.pm:*:*:*:*:*:*:*:* versions up to 3.62 (inclusive)

Tenable Plugins

View all (21 total)

IDNameProductFamilySeverity
91752OracleVM 3.2 : perl (OVMSA-2016-0076)NessusOracleVM Local Security Checks
high
85945F5 Networks BIG-IP : Perl vulnerabilities (K15867)NessusF5 Networks Local Security Checks
high
80731Oracle Solaris Third-Party Patch Update : perl-58 (cve_2012_5526_configuration_vulnerability1)NessusSolaris Local Security Checks
high
80727Oracle Solaris Third-Party Patch Update : perl-512 (cve_2012_5195_heap_buffer)NessusSolaris Local Security Checks
high
74932openSUSE Security Update : perl (openSUSE-SU-2013:0497-1)NessusSuSE Local Security Checks
high
69736Amazon Linux AMI : perl (ALAS-2013-177)NessusAmazon Linux Local Security Checks
high
68797Oracle Linux 5 / 6 : perl (ELSA-2013-0685)NessusOracle Linux Local Security Checks
high
65715Scientific Linux Security Update : perl on SL5.x, SL6.x i386/x86_64 (20130326)NessusScientific Linux Local Security Checks
high
65698RHEL 5 / 6 : perl (RHSA-2013:0685)NessusRed Hat Local Security Checks
high
65694CentOS 5 / 6 : perl (CESA-2013:0685)NessusCentOS Local Security Checks
high
65249SuSE 10 Security Update : Perl (ZYPP Patch Number 8479)NessusSuSE Local Security Checks
high
65247SuSE 11.2 Security Update : Perl (SAT Patch Number 7439)NessusSuSE Local Security Checks
high
63284Mandriva Linux Security Advisory : perl-CGI (MDVSA-2012:180)NessusMandriva Local Security Checks
medium
63282Fedora 16 : perl-5.14.3-203.fc16 / perl-CGI-3.52-203.fc16 (2012-18330)NessusFedora Local Security Checks
medium
63271Debian DSA-2587-1 : libcgi-pm-perl - HTTP header injectionNessusDebian Local Security Checks
medium
63270Debian DSA-2586-1 : perl - several vulnerabilitiesNessusDebian Local Security Checks
high
63248Fedora 17 : perl-5.14.3-218.fc17 / perl-CGI-3.52-218.fc17 (2012-19282)NessusFedora Local Security Checks
medium
63235Fedora 18 : perl-5.16.2-235.fc18 / perl-CGI-3.59-235.fc18 (2012-19125)NessusFedora Local Security Checks
medium
63109Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : perl vulnerabilities (USN-1643-1)NessusUbuntu Local Security Checks
high
63081Fedora 17 : perl-CGI-3.51-7.fc17 (2012-18318)NessusFedora Local Security Checks
medium
63043Fedora 18 : perl-CGI-3.51-10.fc18 (2012-18362)NessusFedora Local Security Checks
medium