CVE-2010-4410

2010-12-0600:00:00

ubuntu.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.008 Low

EPSS

Percentile

80.9%

JSON

CRLF injection vulnerability in the header function in (1) CGI.pm before
3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote
attackers to inject arbitrary HTTP headers and conduct HTTP response
splitting attacks via vectors related to non-whitespace characters preceded
by newline characters, a different vulnerability than CVE-2010-2761 and
CVE-2010-3172.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370 (libcgi-pm-perl)>
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606379 (libcgi-simple-perl)>
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606995 (perl)>

Notes

Author	Note
mdeslaur	debian fix in perl is cgi-multiline-header.diff

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchperl< 5.8.7-10ubuntu1.3UNKNOWN
ubuntu8.04noarchperl< 5.8.8-12ubuntu0.5UNKNOWN
ubuntu10.04noarchperl< 5.10.1-8ubuntu2.1UNKNOWN
ubuntu10.10noarchperl< 5.10.1-12ubuntu2.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	perl	< 5.8.7-10ubuntu1.3	UNKNOWN
ubuntu	8.04	noarch	perl	< 5.8.8-12ubuntu0.5	UNKNOWN
ubuntu	10.04	noarch	perl	< 5.10.1-8ubuntu2.1	UNKNOWN
ubuntu	10.10	noarch	perl	< 5.10.1-12ubuntu2.1	UNKNOWN