CVE-2022-31081 — HTTP Request Smuggling in Http-daemon

CWE-444 — HTTP Request Smuggling7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 34.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libwww-perl Http-daemon Debian Libhttp-daemon-perl Debian Linux

Timeline

PublishedJun 27

Latest updateApr 15

Description

HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add add…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5libwww-perl/http-daemon< 6.15

▶debiandebian/libhttp-daemon-perl< libhttp-daemon-perl 6.14-1.1 (bookworm)

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31081: HTTP::Daemon is a simple http server class written in perl↗2022-06-27

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (HTTP::Daemon) — CVE-2022-31081↗2023-04-15

▶

Ubuntu

HTTP-Daemon vulnerability↗2022-07-18

▶

Ubuntu

HTTP-Daemon vulnerability↗2022-07-14

▶

Red Hat

perl-HTTP-Daemon: HTTP:: Daemon allows request smuggling↗2022-06-27

▶

Debian

CVE-2022-31081: libhttp-daemon-perl - HTTP::Daemon is a simple http server class written in perl. Versions prior to 6....↗2022

▶