The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Andy Armstrong
  • Cgi-simple
  • Cgi.pm
Redhat
  • Enterprise Linux

Configuration 1 [-]

AND
OR cpe:2.3:a:andy_armstrong:cgi.pm:*:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.4:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.42:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.43:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.44:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.45:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.50:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.51:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.52:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.53:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.54:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.55:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.56:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.57:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.0:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.01:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.13:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.14:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.15:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.16:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.17:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.18:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.19:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.20:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.21:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.22:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.23:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.24:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.25:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.26:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.27:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.28:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.29:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.30:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.31:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.32:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.33:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.34:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.35:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.36:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.37:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.38:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.39:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.40:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.41:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.42:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.43:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.44:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.45:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.46:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.47:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.48:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.49:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.50:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.51:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.52:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.53:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.54:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.55:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.56:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.57:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.58:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.59:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.60:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.61:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.62:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.63:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.64:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.65:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.66:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.67:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.68:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.69:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.70:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.71:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.72:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.73:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.74:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.75:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.76:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.77:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.78:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.79:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.80:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.81:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.82:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.83:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.84:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.85:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.86:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.87:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.88:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.89:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.90:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.91:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.92:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.93:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.94:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.95:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.96:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.97:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.98:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.99:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.751:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.752:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.00:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.01:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.02:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.03:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.04:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.05:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.06:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.07:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.08:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.09:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.10:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.11:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.12:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.13:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.14:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.15:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.16:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.17:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.18:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.19:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.20:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.21:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.22:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.23:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.24:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.25:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.26:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.27:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.28:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.29:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.30:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.31:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.32:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.33:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.34:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.35:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.36:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.37:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.38:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.39:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.40:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.41:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.42:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.43:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.44:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.45:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.46:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.47:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.48:*:*:*:*:*:*:*
OR cpe:2.3:a:andy_armstrong:cgi-simple:*:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.078:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.079:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.080:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.081:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.082:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.83:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.0:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.1:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.103:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.104:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.105:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.106:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.107:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.108:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.109:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.110:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.111:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 4
perl-3:5.8.5-57.el4 cpe:/o:redhat:enterprise_linux:4 RHSA-2011:1797 2011-12-08T00:00:00Z
Red Hat Enterprise Linux 5
perl-4:5.8.8-32.el5_7.6 cpe:/o:redhat:enterprise_linux:5 RHSA-2011:1797 2011-12-08T00:00:00Z
Red Hat Enterprise Linux 6
perl-4:5.10.1-119.el6 cpe:/o:redhat:enterprise_linux:6 RHSA-2011:0558 2011-05-19T00:00:00Z
References
Link Providers
http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes cve-icon cve-icon
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 cve-icon cve-icon
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html cve-icon cve-icon
http://openwall.com/lists/oss-security/2010/12/01/1 cve-icon cve-icon
http://openwall.com/lists/oss-security/2010/12/01/2 cve-icon cve-icon
http://openwall.com/lists/oss-security/2010/12/01/3 cve-icon cve-icon
http://osvdb.org/69588 cve-icon cve-icon
http://osvdb.org/69589 cve-icon cve-icon
http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm cve-icon cve-icon
http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1 cve-icon cve-icon
http://secunia.com/advisories/42877 cve-icon cve-icon
http://secunia.com/advisories/43033 cve-icon cve-icon
http://secunia.com/advisories/43068 cve-icon cve-icon
http://secunia.com/advisories/43147 cve-icon cve-icon
http://secunia.com/advisories/43165 cve-icon cve-icon
http://www.bugzilla.org/security/3.2.9/ cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2010:237 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2010:250 cve-icon cve-icon
http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2011-1797.html cve-icon cve-icon
http://www.vupen.com/english/advisories/2011/0076 cve-icon cve-icon
http://www.vupen.com/english/advisories/2011/0207 cve-icon cve-icon
http://www.vupen.com/english/advisories/2011/0212 cve-icon cve-icon
http://www.vupen.com/english/advisories/2011/0249 cve-icon cve-icon
http://www.vupen.com/english/advisories/2011/0271 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=591165 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=600464 cve-icon cve-icon
https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2010-2761 cve-icon
https://www.cve.org/CVERecord?id=CVE-2010-2761 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-12-06T20:00:00

Updated: 2024-08-07T02:46:47.287Z

Reserved: 2010-07-14T00:00:00

Link: CVE-2010-2761

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2010-12-06T20:12:58.653

Modified: 2016-12-08T03:01:41.227

Link: CVE-2010-2761

cve-icon Redhat

Severity : Moderate

Publid Date: 2010-11-10T00:00:00Z

Links: CVE-2010-2761 - Bugzilla