Design/Logic Flaw

2018-08-2616:29:00

PRIOn knowledge base

www.prio-n.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.008 Low

EPSS

Percentile

80.7%

JSON

mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator’s control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.

CPENameOperatorVersion
mod_perlge2.0.0
mod_perlle2.0.10
ubuntu_linuxeq16.04
ubuntu_linuxeq14.04
ubuntu_linuxeq12.04
ubuntu_linuxeq18.04
ubuntu_linuxeq18.10
debian_linuxeq8.0
enterprise_linuxeq7.4
enterprise_linuxeq7.0

Name	Operator	Version
mod_perl	ge	2.0.0
mod_perl	le	2.0.10
ubuntu_linux	eq	16.04
ubuntu_linux	eq	14.04
ubuntu_linux	eq	12.04
ubuntu_linux	eq	18.04
ubuntu_linux	eq	18.10
debian_linux	eq	8.0
enterprise_linux	eq	7.4
enterprise_linux	eq	7.0