VRDA Feed : Provides information for vulnerability impact analysis

VRDA Feed by

Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis

[ about VRDA Feed | JPCERT/CC ]

Vulnerability Analysis Result (Revision No : 1)

[ Download XML ]

CVE-2010-2253

libwww-perl: lwp-download in libwww-perl before 5.835 does not r...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2253

Original

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Translation (Show)

About This Analysis Information

Analysis Information Provider:

NIST NVD

First Published:

2010-07-06

Source Information Category:

Advisory, Alert

Last Updated:

2010-07-07

Affected Product Tags

cpe:/a:search.cpan:libwww-perl:0.01

cpe:/a:search.cpan:libwww-perl:0.02

cpe:/a:search.cpan:libwww-perl:0.03

cpe:/a:search.cpan:libwww-perl:0.04

cpe:/a:search.cpan:libwww-perl:5.00

cpe:/a:search.cpan:libwww-perl:5.01

cpe:/a:search.cpan:libwww-perl:5.02

cpe:/a:search.cpan:libwww-perl:5.03

cpe:/a:search.cpan:libwww-perl:5.04

cpe:/a:search.cpan:libwww-perl:5.05

cpe:/a:search.cpan:libwww-perl:5.06

cpe:/a:search.cpan:libwww-perl:5.07

cpe:/a:search.cpan:libwww-perl:5.08

cpe:/a:search.cpan:libwww-perl:5.09

cpe:/a:search.cpan:libwww-perl:5.10

cpe:/a:search.cpan:libwww-perl:5.11

cpe:/a:search.cpan:libwww-perl:5.12

cpe:/a:search.cpan:libwww-perl:5.13

cpe:/a:search.cpan:libwww-perl:5.14

cpe:/a:search.cpan:libwww-perl:5.15

cpe:/a:search.cpan:libwww-perl:5.16

cpe:/a:search.cpan:libwww-perl:5.17

cpe:/a:search.cpan:libwww-perl:5.18

cpe:/a:search.cpan:libwww-perl:5.18_03

cpe:/a:search.cpan:libwww-perl:5.18_04

cpe:/a:search.cpan:libwww-perl:5.18_05

cpe:/a:search.cpan:libwww-perl:5.19

cpe:/a:search.cpan:libwww-perl:5.20

cpe:/a:search.cpan:libwww-perl:5.21

cpe:/a:search.cpan:libwww-perl:5.22

cpe:/a:search.cpan:libwww-perl:5.30

cpe:/a:search.cpan:libwww-perl:5.31

cpe:/a:search.cpan:libwww-perl:5.32

cpe:/a:search.cpan:libwww-perl:5.33

cpe:/a:search.cpan:libwww-perl:5.34

cpe:/a:search.cpan:libwww-perl:5.35

cpe:/a:search.cpan:libwww-perl:5.36

cpe:/a:search.cpan:libwww-perl:5.40_01

cpe:/a:search.cpan:libwww-perl:5.41

cpe:/a:search.cpan:libwww-perl:5.42

cpe:/a:search.cpan:libwww-perl:5.43

cpe:/a:search.cpan:libwww-perl:5.44

cpe:/a:search.cpan:libwww-perl:5.45

cpe:/a:search.cpan:libwww-perl:5.46

cpe:/a:search.cpan:libwww-perl:5.47

cpe:/a:search.cpan:libwww-perl:5.48

cpe:/a:search.cpan:libwww-perl:5.49

cpe:/a:search.cpan:libwww-perl:5.50

cpe:/a:search.cpan:libwww-perl:5.51

cpe:/a:search.cpan:libwww-perl:5.52

cpe:/a:search.cpan:libwww-perl:5.53

cpe:/a:search.cpan:libwww-perl:5.53_90

cpe:/a:search.cpan:libwww-perl:5.53_91

cpe:/a:search.cpan:libwww-perl:5.53_92

cpe:/a:search.cpan:libwww-perl:5.53_93

cpe:/a:search.cpan:libwww-perl:5.53_94

cpe:/a:search.cpan:libwww-perl:5.53_95

cpe:/a:search.cpan:libwww-perl:5.53_96

cpe:/a:search.cpan:libwww-perl:5.53_97

cpe:/a:search.cpan:libwww-perl:5.60

cpe:/a:search.cpan:libwww-perl:5.61

cpe:/a:search.cpan:libwww-perl:5.62

cpe:/a:search.cpan:libwww-perl:5.63

cpe:/a:search.cpan:libwww-perl:5.64

cpe:/a:search.cpan:libwww-perl:5.65

cpe:/a:search.cpan:libwww-perl:5.66

cpe:/a:search.cpan:libwww-perl:5.67

cpe:/a:search.cpan:libwww-perl:5.68

cpe:/a:search.cpan:libwww-perl:5.69

cpe:/a:search.cpan:libwww-perl:5.70

cpe:/a:search.cpan:libwww-perl:5.71

cpe:/a:search.cpan:libwww-perl:5.72

cpe:/a:search.cpan:libwww-perl:5.73

cpe:/a:search.cpan:libwww-perl:5.74

cpe:/a:search.cpan:libwww-perl:5.75

cpe:/a:search.cpan:libwww-perl:5.76

cpe:/a:search.cpan:libwww-perl:5.77

cpe:/a:search.cpan:libwww-perl:5.78

cpe:/a:search.cpan:libwww-perl:5.79

cpe:/a:search.cpan:libwww-perl:5.800

cpe:/a:search.cpan:libwww-perl:5.801

cpe:/a:search.cpan:libwww-perl:5.802

cpe:/a:search.cpan:libwww-perl:5.803

cpe:/a:search.cpan:libwww-perl:5.804

cpe:/a:search.cpan:libwww-perl:5.805

cpe:/a:search.cpan:libwww-perl:5.806

cpe:/a:search.cpan:libwww-perl:5.807

cpe:/a:search.cpan:libwww-perl:5.808

cpe:/a:search.cpan:libwww-perl:5.810

cpe:/a:search.cpan:libwww-perl:5.811

cpe:/a:search.cpan:libwww-perl:5.812

cpe:/a:search.cpan:libwww-perl:5.813

cpe:/a:search.cpan:libwww-perl:5.814

cpe:/a:search.cpan:libwww-perl:5.815

cpe:/a:search.cpan:libwww-perl:5.816

cpe:/a:search.cpan:libwww-perl:5.817

cpe:/a:search.cpan:libwww-perl:5.818

cpe:/a:search.cpan:libwww-perl:5.819

cpe:/a:search.cpan:libwww-perl:5.820

cpe:/a:search.cpan:libwww-perl:5.821

cpe:/a:search.cpan:libwww-perl:5.822

cpe:/a:search.cpan:libwww-perl:5.823

cpe:/a:search.cpan:libwww-perl:5.824

cpe:/a:search.cpan:libwww-perl:5.825

cpe:/a:search.cpan:libwww-perl:5.826

cpe:/a:search.cpan:libwww-perl:5.827

cpe:/a:search.cpan:libwww-perl:5.828

cpe:/a:search.cpan:libwww-perl:5.829

cpe:/a:search.cpan:libwww-perl:5.830

cpe:/a:search.cpan:libwww-perl:5.831

cpe:/a:search.cpan:libwww-perl:5.832

cpe:/a:search.cpan:libwww-perl:5.833

cpe:/a:search.cpan:libwww-perl:5.834 and previous versions

cpe:/a:search.cpan:libwww-perl:5b10

cpe:/a:search.cpan:libwww-perl:5b11

cpe:/a:search.cpan:libwww-perl:5b12

cpe:/a:search.cpan:libwww-perl:5b13

cpe:/a:search.cpan:libwww-perl:5b5

cpe:/a:search.cpan:libwww-perl:5b6

cpe:/a:search.cpan:libwww-perl:5b7

cpe:/a:search.cpan:libwww-perl:5b8

cpe:/a:search.cpan:libwww-perl:5b9

Vulnerability Analysis Results

[Access Vector] ^[?]

Undefined^[?]

Local^[?]

Adjacent Network^[?]

Network^[?]

[Access Complexit] ^[?]

Undefined^[?]

High^[?]

Medium^[?]

Low^[?]

[Authentication] ^[?]

Undefined^[?]

Multiple^[?]

Single^[?]

None^[?]

[Confidentiality Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Integrity Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Availability Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

Alternatives

References

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=602800

CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=591580

CONFIRM http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes

MISC http://www.ocert.org/advisories/ocert-2010-001.html

MLIST [oss-security] 20100609 Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability

MLIST [oss-security] 20100517 [oCERT-2010-001] multiple http client unexpected download filename vulnerability

Vulnerability Type Input Validation (CWE-20)