CVE-2010-2761 — Code Injection in CGI Simple

CWE-94 — Code Injection21 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.8%

top 16.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Manwar CGI Simple Perl Debian Libcgi-pm-perl +5 more

Timeline

PublishedDec 6

Latest updateMay 17

Description

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages8 packages

▶CVEListV5manwar/cgi_simple< 1.282

▶debiandebian/libcgi-simple-perl< libcgi-pm-perl 3.50-1 (bookworm)+1

▶NVDandy_armstrong/cgi-simple1.112+19

▶debiandebian/perl< libcgi-pm-perl 3.50-1 (bookworm)+1

▶debiandebian/libcgi-pm-perl< libcgi-pm-perl 3.50-1 (bookworm)+1

Patches

Patch: openwall.com ↗Patch: openwall.com ↗Patch: perl5.git.perl.org ↗

🔴Vulnerability Details

GHSA

GHSA-93g6-7v2r-h2r4: CRLF injection vulnerability in chart↗2022-05-17

▶

GHSA

GHSA-63qf-cwcv-ff3r: CRLF injection vulnerability in the header function in (1) CGI↗2022-05-17

▶

GHSA

GHSA-wj7r-99wr-72wm: Unspecified vulnerability in CGI↗2022-05-17

▶

GHSA

GHSA-8x6h-gq6j-8x3j: The multipart_init function in (1) CGI↗2022-05-17

▶

OSV

CVE-2010-2761: The multipart_init function in (1) CGI↗2010-12-06

▶

📋Vendor Advisories

Ubuntu

Perl vulnerabilities↗2011-05-03

▶

Red Hat

perl-CGI-Simple: - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting↗2010-11-10

▶

Red Hat

perl-CGI-Simple: - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting↗2010-11-10

▶

Debian

CVE-2010-4410: libcgi-pm-perl - CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 an...↗2010

▶

Debian

CVE-2010-4411: libcgi-pm-perl - Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to ...↗2010

▶

💬Community

Bugzilla

perl-CGI, perl-CGI-Simple: CVE-2010-2761 - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting [fedora-all]↗2011-10-05

▶

Bugzilla

bugzilla: multiple security issues↗2011-01-26

▶

Bugzilla

perl-CGI, perl-CGI-Simple: CVE-2010-2761 - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting↗2010-12-01

▶

Bugzilla

perl-CGI-Simple: CVE-2010-2761 -- hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, CVE-2010-4410 -- CRLF injection vulnerability in the header function flaws [fedora-a↗2010-12-01

▶