CVE-2011-2201
published 2011-09-14CVE-2011-2201: The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data…
PriorityP334medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
6.16%
92.6th percentile
The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libdata-formvalidator-perl | < libdata-formvalidator-perl 4.66-3 (bookworm) | libdata-formvalidator-perl 4.66-3 (bookworm) |
| mark_stosberg | data | <= 4.66 | — |
| mark_stosberg | data | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-348p-57x3-vxc3: The Data::FormValidator module 4
ghsa_unreviewed·2022-05-17
CVE-2011-2201 [MEDIUM] GHSA-348p-57x3-vxc3: The Data::FormValidator module 4
The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input.
OSV
CVE-2011-2201: The Data::FormValidator module 4
osv·2011-09-14·CVSS 4.3
CVE-2011-2201 [MEDIUM] CVE-2011-2201: The Data::FormValidator module 4
The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input.
Debian
CVE-2011-2201: libdata-formvalidator-perl - The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_const...
vendor_debian·2011·CVSS 4.3
CVE-2011-2201 [MEDIUM] CVE-2011-2201: libdata-formvalidator-perl - The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_const...
The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass the taint protection mechanism via form input.
Scope: local
bookworm: resolved (fixed in 4.66-3)
bullseye: resolved (fixed in 4.66-3)
forky: resolved (fixed in 4.66-3)
sid: resolved (fixed in 4.66-3)
trixie: resolved (fixed in 4.66-3)
No detection rules found.
Bugzilla
CVE-2011-2201 perl-Data-FormValidator: Reports invalid field as valid when untaint_all_constraints used [fedora-all]
bugzilla·2011-06-12·CVSS 4.3
CVE-2011-2201 [MEDIUM] CVE-2011-2201 perl-Data-FormValidator: Reports invalid field as valid when untaint_all_constraints used [fedora-all]
CVE-2011-2201 perl-Data-FormValidator: Reports invalid field as valid when untaint_all_constraints used [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=712694
Bugzilla
CVE-2011-2201 perl-Data-FormValidator: Reports invalid field as valid when untaint_all_constraints used
bugzilla·2011-06-12·CVSS 4.3
CVE-2011-2201 [MEDIUM] CVE-2011-2201 perl-Data-FormValidator: Reports invalid field as valid when untaint_all_constraints used
CVE-2011-2201 perl-Data-FormValidator: Reports invalid field as valid when untaint_all_constraints used
It was found that perl-Data-FormValidator, a HTML form user input validator,
used to treat certain invalid fields as valid, when the
untaint_all_constraints directive was used (default for majority of
Data-FormValidator routines). A remote attacker could use this flaw to bypass
perl Taint mode protection mechanism via specially-crafted input provided to
the HTML form.
References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511
[2] https://rt.cpan.org/Public/Bug/Display.html?id=61792
Discussion:
This issue affect the versions of the perl-Data-FormValidator package, as
shipped with Fedora release of 13, 14, and 15. Please schedule an update
(once final upstream patch known
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065416.htmlhttp://www.openwall.com/lists/oss-security/2011/06/12/3http://www.openwall.com/lists/oss-security/2011/06/13/13http://www.openwall.com/lists/oss-security/2011/06/13/5http://www.securityfocus.com/bid/48167https://bugzilla.redhat.com/show_bug.cgi?id=712694https://rt.cpan.org/Public/Bug/Display.html?id=61792http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629511http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065416.htmlhttp://www.openwall.com/lists/oss-security/2011/06/12/3http://www.openwall.com/lists/oss-security/2011/06/13/13http://www.openwall.com/lists/oss-security/2011/06/13/5http://www.securityfocus.com/bid/48167https://bugzilla.redhat.com/show_bug.cgi?id=712694https://rt.cpan.org/Public/Bug/Display.html?id=61792
2011-09-14
Published