Veracode Vulnerability DatabaseVERACODE:13027Remote Code Execution (RCE)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
mod_perl is vulnerable to arbitrary code execution. There are no configuration options to allow administrator’s control of HTTP request processing without also allowing unprivileged users to run Perl code on the system in the context of the Apache HTTPd process worker. This would allow an attacker to execute arbitrary Perl code by saving it in a user-owned .htaccess file.
References
www.securityfocus.com/bid/105195
access.redhat.com/errata/RHSA-2018:2737
access.redhat.com/errata/RHSA-2018:2825
access.redhat.com/errata/RHSA-2018:2826
access.redhat.com/security/updates/classification/#important
bugs.debian.org/644169
lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d@%3Cmodperl-cvs.perl.apache.org%3E
lists.debian.org/debian-lts-announce/2018/09/msg00018.html
mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E
usn.ubuntu.com/3825-1/
usn.ubuntu.com/3825-2/
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C