CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N
Vendors Products
Andy Armstrong
  • Cgi-simple
  • Cgi.pm

Configuration 1 [-]

AND
OR cpe:2.3:a:andy_armstrong:cgi.pm:*:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.4:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.42:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.43:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.44:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.45:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.50:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.51:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.52:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.53:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.54:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.55:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.56:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:1.57:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.0:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.01:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.13:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.14:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.15:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.16:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.17:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.18:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.19:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.20:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.21:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.22:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.23:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.24:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.25:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.26:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.27:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.28:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.29:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.30:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.31:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.32:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.33:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.34:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.35:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.36:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.37:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.38:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.39:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.40:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.41:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.42:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.43:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.44:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.45:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.46:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.47:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.48:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.49:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.50:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.51:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.52:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.53:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.54:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.55:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.56:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.57:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.58:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.59:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.60:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.61:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.62:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.63:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.64:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.65:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.66:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.67:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.68:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.69:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.70:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.71:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.72:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.73:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.74:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.75:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.76:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.77:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.78:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.79:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.80:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.81:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.82:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.83:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.84:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.85:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.86:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.87:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.88:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.89:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.90:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.91:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.92:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.93:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.94:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.95:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.96:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.97:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.98:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.99:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.751:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:2.752:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.00:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.01:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.02:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.03:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.04:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.05:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.06:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.07:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.08:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.09:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.10:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.11:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.12:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.13:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.14:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.15:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.16:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.17:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.18:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.19:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.20:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.21:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.22:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.23:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.24:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.25:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.26:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.27:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.28:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.29:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.30:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.31:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.32:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.33:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.34:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.35:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.36:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.37:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.38:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.39:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.40:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.41:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.42:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.43:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.44:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.45:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.46:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.47:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi.pm:3.48:*:*:*:*:*:*:*
OR cpe:2.3:a:andy_armstrong:cgi-simple:*:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.078:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.079:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.080:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.081:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.082:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:0.83:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.0:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.1:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.103:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.104:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.105:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.106:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.107:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.108:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.109:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.110:*:*:*:*:*:*:*
cpe:2.3:a:andy_armstrong:cgi-simple:1.111:*:*:*:*:*:*:*
References
Link Resource
http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
http://openwall.com/lists/oss-security/2010/12/01/1 Patch
http://openwall.com/lists/oss-security/2010/12/01/2 Patch
http://openwall.com/lists/oss-security/2010/12/01/3 Patch
http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm Patch
http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1 Patch
http://secunia.com/advisories/43068
http://secunia.com/advisories/43147
http://www.mandriva.com/security/advisories?name=MDVSA-2010:237
http://www.mandriva.com/security/advisories?name=MDVSA-2010:252
http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html Patch
http://www.redhat.com/support/errata/RHSA-2011-1797.html
http://www.securityfocus.com/bid/44199
http://www.securityfocus.com/bid/45145
http://www.vupen.com/english/advisories/2010/3230
http://www.vupen.com/english/advisories/2011/0212
http://www.vupen.com/english/advisories/2011/0249
https://bugzilla.redhat.com/show_bug.cgi?id=658970
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2010-12-06T20:00:00

Updated: 2016-12-06T18:57:01

Reserved: 2010-12-06T00:00:00

Link: CVE-2010-4410

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2010-12-06T20:13:00.623

Modified: 2016-12-08T03:01:45.993

Link: CVE-2010-4410

JSON object: View

cve-icon Redhat Information

No data.

CWE