CPANSA-mod_perl-2011-2767: mod_perl vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2018-08-26T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2018-08-26T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 9.8 | Severity | Critical |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Vulnerabilities
CVE-2011-2767
Vulnerability Descriptionmod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
| Weakness | CWE-94 : Improper Control of Generation of Code ('Code Injection') |
|---|
Product status
Known affected
| Product | Score | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| mod_perl greater than or equal 2.0 and less than or equal 2.0.10 |
|
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-mod_perl-2011-2767 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2018/cpansa-mod_perl-2011-2767.json - https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E external
https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E - https://bugs.debian.org/644169 external
https://bugs.debian.org/644169 - https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html external
https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html - https://access.redhat.com/errata/RHSA-2018:2737 external
https://access.redhat.com/errata/RHSA-2018:2737 - https://access.redhat.com/errata/RHSA-2018:2826 external
https://access.redhat.com/errata/RHSA-2018:2826 - https://access.redhat.com/errata/RHSA-2018:2825 external
https://access.redhat.com/errata/RHSA-2018:2825 - http://www.securityfocus.com/bid/105195 external
http://www.securityfocus.com/bid/105195 - https://usn.ubuntu.com/3825-1/ external
https://usn.ubuntu.com/3825-1/ - https://usn.ubuntu.com/3825-2/ external
https://usn.ubuntu.com/3825-2/ - https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d@%3Cmodperl-cvs.perl.apache.org%3E external
https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d@%3Cmodperl-cvs.perl.apache.org%3E - http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html external
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html - http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html external
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html - CVE-2011-2767 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2011-2767
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Sun Aug 26 00:00:00 2018 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/