OpenCVE

CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Andy Armstrong	Cgi-simple Cgi.pm
Redhat	Enterprise Linux

Configuration 1 [-]

AND

OR	cpe:2.3:a:andy_armstrong:cgi.pm::::::::
	cpe:2.3:a:andy_armstrong:cgi.pm:1.4:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.42:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.43:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.44:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.45:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.50:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.51:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.52:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.53:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.54:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.55:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.56:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:1.57:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.0:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.01:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.13:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.14:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.15:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.16:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.17:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.18:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.19:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.20:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.21:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.22:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.23:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.24:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.25:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.26:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.27:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.28:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.29:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.30:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.31:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.32:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.33:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.34:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.35:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.36:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.37:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.38:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.39:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.40:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.41:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.42:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.43:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.44:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.45:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.46:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.47:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.48:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.49:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.50:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.51:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.52:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.53:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.54:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.55:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.56:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.57:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.58:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.59:::::::*
	cpe:2.3:a:andy_armstrong:cgi.pm:2.60:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.61:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.62:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.63:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.64:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.65:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.66:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.67:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.68:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.69:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.70:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.71:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.72:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.73:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.74:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.75:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.76:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.77:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.78:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.79:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.80:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.81:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.82:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.83:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.84:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.85:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.86:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.87:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.88:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.89:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.90:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.91:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.92:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.93:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.94:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.95:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.96:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.97:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.98:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.99:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.751:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:2.752:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.00:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.01:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.02:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.03:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.04:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.05:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.06:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.07:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.08:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.09:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.10:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.11:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.12:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.13:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.14:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.15:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.16:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.17:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.18:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.19:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.20:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.21:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.22:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.23:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.24:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.25:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.26:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.27:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.28:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.29:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.30:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.31:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.32:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.33:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.34:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.35:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.36:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.37:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.38:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.39:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.40:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.41:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.42:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.43:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.44:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.45:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.46:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.47:::::::*
cpe:2.3:a:andy_armstrong:cgi.pm:3.48:::::::*

OR	cpe:2.3:a:andy_armstrong:cgi-simple::::::::
	cpe:2.3:a:andy_armstrong:cgi-simple:0.078:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:0.079:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:0.080:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:0.081:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:0.082:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:0.83:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.0:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.1:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.1.1:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.1.2:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.103:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.104:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.105:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.106:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.107:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.108:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.109:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.110:::::::*
	cpe:2.3:a:andy_armstrong:cgi-simple:1.111:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 4
perl-3:5.8.5-57.el4	cpe:/o:redhat:enterprise_linux:4	RHSA-2011:1797	2011-12-08T00:00:00Z
Red Hat Enterprise Linux 5
perl-4:5.8.8-32.el5_7.6	cpe:/o:redhat:enterprise_linux:5	RHSA-2011:1797	2011-12-08T00:00:00Z
Red Hat Enterprise Linux 6
perl-4:5.10.1-119.el6	cpe:/o:redhat:enterprise_linux:6	RHSA-2011:0558	2011-05-19T00:00:00Z

References

Link	Providers
http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
http://openwall.com/lists/oss-security/2010/12/01/1
http://openwall.com/lists/oss-security/2010/12/01/2
http://openwall.com/lists/oss-security/2010/12/01/3
http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm
http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1
http://secunia.com/advisories/43068
http://secunia.com/advisories/43147
http://www.mandriva.com/security/advisories?name=MDVSA-2010:237
http://www.mandriva.com/security/advisories?name=MDVSA-2010:252
http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html
http://www.redhat.com/support/errata/RHSA-2011-1797.html
http://www.securityfocus.com/bid/44199
http://www.securityfocus.com/bid/45145
http://www.vupen.com/english/advisories/2010/3230
http://www.vupen.com/english/advisories/2011/0212
http://www.vupen.com/english/advisories/2011/0249
https://bugzilla.redhat.com/show_bug.cgi?id=658970
https://nvd.nist.gov/vuln/detail/CVE-2010-4410
https://www.cve.org/CVERecord?id=CVE-2010-4410

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-12-06T20:00:00

Updated: 2024-08-07T03:43:14.901Z

Reserved: 2010-12-06T00:00:00

Link: CVE-2010-4410

Vulnrichment

No data.

NVD

Status : Modified

Published: 2010-12-06T20:13:00.623

Modified: 2024-11-21T01:20:53.727

Link: CVE-2010-4410

Redhat

Severity : Moderate

Publid Date: 2010-11-10T00:00:00Z

Links: CVE-2010-4410 - Bugzilla

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object