VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis
[ about VRDA Feed | JPCERT/CC



 
Vulnerability Analysis Result (Revision No : 1) [ Download XML
CVE-2010-2761
cgi.pm, cgi-simple: The multipart_init function in (1) CGI.pm before 3....
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2761

Original

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.

Translation   (Show)





About This Analysis Information
Analysis Information Provider:
NIST NVD
First Published:
2010-12-06
Source Information Category:
Advisory, Alert
Last Updated:
2010-12-07




Affected Product Tags
cpe:/a:cgi-simple:cgi-simple:0.078
cpe:/a:cgi-simple:cgi-simple:0.079
cpe:/a:cgi-simple:cgi-simple:0.080
cpe:/a:cgi-simple:cgi-simple:0.081
cpe:/a:cgi-simple:cgi-simple:0.082
cpe:/a:cgi-simple:cgi-simple:0.83
cpe:/a:cgi-simple:cgi-simple:1.0
cpe:/a:cgi-simple:cgi-simple:1.1
cpe:/a:cgi-simple:cgi-simple:1.1.1
cpe:/a:cgi-simple:cgi-simple:1.1.2
cpe:/a:cgi-simple:cgi-simple:1.103
cpe:/a:cgi-simple:cgi-simple:1.104
cpe:/a:cgi-simple:cgi-simple:1.105
cpe:/a:cgi-simple:cgi-simple:1.106
cpe:/a:cgi-simple:cgi-simple:1.107
cpe:/a:cgi-simple:cgi-simple:1.108
cpe:/a:cgi-simple:cgi-simple:1.109
cpe:/a:cgi-simple:cgi-simple:1.110
cpe:/a:cgi-simple:cgi-simple:1.111
cpe:/a:cgi-simple:cgi-simple:1.112 and previous versions
cpe:/a:cgi.pm:cgi.pm:1.4
cpe:/a:cgi.pm:cgi.pm:1.42
cpe:/a:cgi.pm:cgi.pm:1.43
cpe:/a:cgi.pm:cgi.pm:1.44
cpe:/a:cgi.pm:cgi.pm:1.45
cpe:/a:cgi.pm:cgi.pm:1.50
cpe:/a:cgi.pm:cgi.pm:1.51
cpe:/a:cgi.pm:cgi.pm:1.52
cpe:/a:cgi.pm:cgi.pm:1.53
cpe:/a:cgi.pm:cgi.pm:1.54
cpe:/a:cgi.pm:cgi.pm:1.55
cpe:/a:cgi.pm:cgi.pm:1.56
cpe:/a:cgi.pm:cgi.pm:1.57
cpe:/a:cgi.pm:cgi.pm:2.0
cpe:/a:cgi.pm:cgi.pm:2.01
cpe:/a:cgi.pm:cgi.pm:2.13
cpe:/a:cgi.pm:cgi.pm:2.14
cpe:/a:cgi.pm:cgi.pm:2.15
cpe:/a:cgi.pm:cgi.pm:2.16
cpe:/a:cgi.pm:cgi.pm:2.17
cpe:/a:cgi.pm:cgi.pm:2.18
cpe:/a:cgi.pm:cgi.pm:2.19
cpe:/a:cgi.pm:cgi.pm:2.20
cpe:/a:cgi.pm:cgi.pm:2.21
cpe:/a:cgi.pm:cgi.pm:2.22
cpe:/a:cgi.pm:cgi.pm:2.23
cpe:/a:cgi.pm:cgi.pm:2.24
cpe:/a:cgi.pm:cgi.pm:2.25
cpe:/a:cgi.pm:cgi.pm:2.26
cpe:/a:cgi.pm:cgi.pm:2.27
cpe:/a:cgi.pm:cgi.pm:2.28
cpe:/a:cgi.pm:cgi.pm:2.29
cpe:/a:cgi.pm:cgi.pm:2.30
cpe:/a:cgi.pm:cgi.pm:2.31
cpe:/a:cgi.pm:cgi.pm:2.32
cpe:/a:cgi.pm:cgi.pm:2.33
cpe:/a:cgi.pm:cgi.pm:2.34
cpe:/a:cgi.pm:cgi.pm:2.35
cpe:/a:cgi.pm:cgi.pm:2.36
cpe:/a:cgi.pm:cgi.pm:2.37
cpe:/a:cgi.pm:cgi.pm:2.38
cpe:/a:cgi.pm:cgi.pm:2.39
cpe:/a:cgi.pm:cgi.pm:2.40
cpe:/a:cgi.pm:cgi.pm:2.41
cpe:/a:cgi.pm:cgi.pm:2.42
cpe:/a:cgi.pm:cgi.pm:2.43
cpe:/a:cgi.pm:cgi.pm:2.44
cpe:/a:cgi.pm:cgi.pm:2.45
cpe:/a:cgi.pm:cgi.pm:2.46
cpe:/a:cgi.pm:cgi.pm:2.47
cpe:/a:cgi.pm:cgi.pm:2.48
cpe:/a:cgi.pm:cgi.pm:2.49
cpe:/a:cgi.pm:cgi.pm:2.50
cpe:/a:cgi.pm:cgi.pm:2.51
cpe:/a:cgi.pm:cgi.pm:2.52
cpe:/a:cgi.pm:cgi.pm:2.53
cpe:/a:cgi.pm:cgi.pm:2.54
cpe:/a:cgi.pm:cgi.pm:2.55
cpe:/a:cgi.pm:cgi.pm:2.56
cpe:/a:cgi.pm:cgi.pm:2.57
cpe:/a:cgi.pm:cgi.pm:2.58
cpe:/a:cgi.pm:cgi.pm:2.59
cpe:/a:cgi.pm:cgi.pm:2.60
cpe:/a:cgi.pm:cgi.pm:2.61
cpe:/a:cgi.pm:cgi.pm:2.62
cpe:/a:cgi.pm:cgi.pm:2.63
cpe:/a:cgi.pm:cgi.pm:2.64
cpe:/a:cgi.pm:cgi.pm:2.65
cpe:/a:cgi.pm:cgi.pm:2.66
cpe:/a:cgi.pm:cgi.pm:2.67
cpe:/a:cgi.pm:cgi.pm:2.68
cpe:/a:cgi.pm:cgi.pm:2.69
cpe:/a:cgi.pm:cgi.pm:2.70
cpe:/a:cgi.pm:cgi.pm:2.71
cpe:/a:cgi.pm:cgi.pm:2.72
cpe:/a:cgi.pm:cgi.pm:2.73
cpe:/a:cgi.pm:cgi.pm:2.74
cpe:/a:cgi.pm:cgi.pm:2.75
cpe:/a:cgi.pm:cgi.pm:2.751
cpe:/a:cgi.pm:cgi.pm:2.752
cpe:/a:cgi.pm:cgi.pm:2.76
cpe:/a:cgi.pm:cgi.pm:2.77
cpe:/a:cgi.pm:cgi.pm:2.78
cpe:/a:cgi.pm:cgi.pm:2.79
cpe:/a:cgi.pm:cgi.pm:2.80
cpe:/a:cgi.pm:cgi.pm:2.81
cpe:/a:cgi.pm:cgi.pm:2.82
cpe:/a:cgi.pm:cgi.pm:2.83
cpe:/a:cgi.pm:cgi.pm:2.84
cpe:/a:cgi.pm:cgi.pm:2.85
cpe:/a:cgi.pm:cgi.pm:2.86
cpe:/a:cgi.pm:cgi.pm:2.87
cpe:/a:cgi.pm:cgi.pm:2.88
cpe:/a:cgi.pm:cgi.pm:2.89
cpe:/a:cgi.pm:cgi.pm:2.90
cpe:/a:cgi.pm:cgi.pm:2.91
cpe:/a:cgi.pm:cgi.pm:2.92
cpe:/a:cgi.pm:cgi.pm:2.93
cpe:/a:cgi.pm:cgi.pm:2.94
cpe:/a:cgi.pm:cgi.pm:2.95
cpe:/a:cgi.pm:cgi.pm:2.96
cpe:/a:cgi.pm:cgi.pm:2.97
cpe:/a:cgi.pm:cgi.pm:2.98
cpe:/a:cgi.pm:cgi.pm:2.99
cpe:/a:cgi.pm:cgi.pm:3.00
cpe:/a:cgi.pm:cgi.pm:3.01
cpe:/a:cgi.pm:cgi.pm:3.02
cpe:/a:cgi.pm:cgi.pm:3.03
cpe:/a:cgi.pm:cgi.pm:3.04
cpe:/a:cgi.pm:cgi.pm:3.05
cpe:/a:cgi.pm:cgi.pm:3.06
cpe:/a:cgi.pm:cgi.pm:3.07
cpe:/a:cgi.pm:cgi.pm:3.08
cpe:/a:cgi.pm:cgi.pm:3.09
cpe:/a:cgi.pm:cgi.pm:3.10
cpe:/a:cgi.pm:cgi.pm:3.11
cpe:/a:cgi.pm:cgi.pm:3.12
cpe:/a:cgi.pm:cgi.pm:3.13
cpe:/a:cgi.pm:cgi.pm:3.14
cpe:/a:cgi.pm:cgi.pm:3.15
cpe:/a:cgi.pm:cgi.pm:3.16
cpe:/a:cgi.pm:cgi.pm:3.17
cpe:/a:cgi.pm:cgi.pm:3.18
cpe:/a:cgi.pm:cgi.pm:3.19
cpe:/a:cgi.pm:cgi.pm:3.20
cpe:/a:cgi.pm:cgi.pm:3.21
cpe:/a:cgi.pm:cgi.pm:3.22
cpe:/a:cgi.pm:cgi.pm:3.23
cpe:/a:cgi.pm:cgi.pm:3.24
cpe:/a:cgi.pm:cgi.pm:3.25
cpe:/a:cgi.pm:cgi.pm:3.26
cpe:/a:cgi.pm:cgi.pm:3.27
cpe:/a:cgi.pm:cgi.pm:3.28
cpe:/a:cgi.pm:cgi.pm:3.29
cpe:/a:cgi.pm:cgi.pm:3.30
cpe:/a:cgi.pm:cgi.pm:3.31
cpe:/a:cgi.pm:cgi.pm:3.32
cpe:/a:cgi.pm:cgi.pm:3.33
cpe:/a:cgi.pm:cgi.pm:3.34
cpe:/a:cgi.pm:cgi.pm:3.35
cpe:/a:cgi.pm:cgi.pm:3.36
cpe:/a:cgi.pm:cgi.pm:3.37
cpe:/a:cgi.pm:cgi.pm:3.38
cpe:/a:cgi.pm:cgi.pm:3.39
cpe:/a:cgi.pm:cgi.pm:3.40
cpe:/a:cgi.pm:cgi.pm:3.41
cpe:/a:cgi.pm:cgi.pm:3.42
cpe:/a:cgi.pm:cgi.pm:3.43
cpe:/a:cgi.pm:cgi.pm:3.44
cpe:/a:cgi.pm:cgi.pm:3.45
cpe:/a:cgi.pm:cgi.pm:3.46
cpe:/a:cgi.pm:cgi.pm:3.47
cpe:/a:cgi.pm:cgi.pm:3.48
cpe:/a:cgi.pm:cgi.pm:3.49 and previous versions
 


Vulnerability Analysis Results
[Access Vector]  [?]
Undefined [?]

Local [?]
Adjacent Network [?]
X Network [?]
[Access Complexit]  [?]
Undefined [?]

X High [?]
Medium [?]
Low [?]
[Authentication]  [?]
Undefined [?]

Multiple [?]
Single [?]
X None [?]
[Confidentiality Impact]  [?]
Undefined [?]

X None [?]
Partial [?]
Complete [?]
[Integrity Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Availability Impact]  [?]
Undefined [?]

X None [?]
Partial [?]
Complete [?]
Alternatives




References
CONFIRM https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380




CONFIRM http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html




CONFIRM http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1




CONFIRM http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm




CONFIRM http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes




MISC https://bugzilla.mozilla.org/show_bug.cgi?id=600464




MLIST [oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)




MLIST [oss-security] 20101201 CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)




MLIST [oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)




Vulnerability Type Code Injection (CWE-94)




Copyright © 2010 JPCERT/CC All Rights Reserved.