National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-4411)

National Cyber Awareness System

Vulnerability Summary for CVE-2010-4411

Original release date:12/06/2010

Last revised:02/17/2011

Source: US-CERT/NIST

Overview

Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized modification

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://bugzilla.mozilla.org/show_bug.cgi?id=591165

Hyperlink:https://bugzilla.mozilla.org/show_bug.cgi?id=591165

External Source: VUPEN

Name: ADV-2011-0271

Hyperlink:http://www.vupen.com/english/advisories/2011/0271

External Source: VUPEN

Name: ADV-2011-0212

Hyperlink:http://www.vupen.com/english/advisories/2011/0212

External Source: VUPEN

Name: ADV-2011-0207

Hyperlink:http://www.vupen.com/english/advisories/2011/0207

External Source: VUPEN

Name: ADV-2011-0106

Hyperlink:http://www.vupen.com/english/advisories/2011/0106

External Source: MANDRIVA

Name: MDVSA-2011:008

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:008

External Source: CONFIRM

Name: http://www.bugzilla.org/security/3.2.9/

Hyperlink:http://www.bugzilla.org/security/3.2.9/

External Source: SECUNIA

Name: 43165

Hyperlink:http://secunia.com/advisories/43165

External Source: SECUNIA

Name: 43068

Hyperlink:http://secunia.com/advisories/43068

External Source: SECUNIA

Name: 43033

Hyperlink:http://secunia.com/advisories/43033

External Source: MLIST

Name: [oss-security] 20101201 Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)

Hyperlink:http://openwall.com/lists/oss-security/2010/12/01/3

External Source: SUSE

Name: SUSE-SR:2011:002

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html

External Source: FEDORA

Name: FEDORA-2011-0755

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html

External Source: FEDORA

Name: FEDORA-2011-0741

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html

Vulnerable software and versions

Configuration 1

* cpe:/a:andy_armstrong:cgi.pm:2.71

* cpe:/a:andy_armstrong:cgi.pm:2.72

* cpe:/a:andy_armstrong:cgi.pm:2.73

* cpe:/a:andy_armstrong:cgi.pm:2.74

* cpe:/a:andy_armstrong:cgi.pm:2.67

* cpe:/a:andy_armstrong:cgi.pm:2.68

* cpe:/a:andy_armstrong:cgi.pm:2.69

* cpe:/a:andy_armstrong:cgi.pm:2.70

* cpe:/a:andy_armstrong:cgi.pm:2.77

* cpe:/a:andy_armstrong:cgi.pm:2.78

* cpe:/a:andy_armstrong:cgi.pm:2.79

* cpe:/a:andy_armstrong:cgi.pm:2.80

* cpe:/a:andy_armstrong:cgi.pm:2.75

* cpe:/a:andy_armstrong:cgi.pm:2.751

* cpe:/a:andy_armstrong:cgi.pm:2.752

* cpe:/a:andy_armstrong:cgi.pm:2.76

* cpe:/a:andy_armstrong:cgi.pm:2.86

* cpe:/a:andy_armstrong:cgi.pm:2.85

* cpe:/a:andy_armstrong:cgi.pm:2.88

* cpe:/a:andy_armstrong:cgi.pm:2.87

* cpe:/a:andy_armstrong:cgi.pm:2.82

* cpe:/a:andy_armstrong:cgi.pm:2.81

* cpe:/a:andy_armstrong:cgi.pm:2.84

* cpe:/a:andy_armstrong:cgi.pm:2.83

* cpe:/a:andy_armstrong:cgi.pm:2.94

* cpe:/a:andy_armstrong:cgi.pm:2.93

* cpe:/a:andy_armstrong:cgi.pm:2.95

* cpe:/a:andy_armstrong:cgi.pm:2.90

* cpe:/a:andy_armstrong:cgi.pm:2.89

* cpe:/a:andy_armstrong:cgi.pm:2.92

* cpe:/a:andy_armstrong:cgi.pm:2.91

* cpe:/a:andy_armstrong:cgi.pm:2.41

* cpe:/a:andy_armstrong:cgi.pm:2.42

* cpe:/a:andy_armstrong:cgi.pm:2.40

* cpe:/a:andy_armstrong:cgi.pm:2.38

* cpe:/a:andy_armstrong:cgi.pm:2.39

* cpe:/a:andy_armstrong:cgi.pm:2.36

* cpe:/a:andy_armstrong:cgi.pm:2.37

* cpe:/a:andy_armstrong:cgi.pm:2.49

* cpe:/a:andy_armstrong:cgi.pm:2.50

* cpe:/a:andy_armstrong:cgi.pm:2.47

* cpe:/a:andy_armstrong:cgi.pm:2.48

* cpe:/a:andy_armstrong:cgi.pm:2.45

* cpe:/a:andy_armstrong:cgi.pm:2.46

* cpe:/a:andy_armstrong:cgi.pm:2.43

* cpe:/a:andy_armstrong:cgi.pm:2.44

* cpe:/a:andy_armstrong:cgi.pm:2.58

* cpe:/a:andy_armstrong:cgi.pm:2.57

* cpe:/a:andy_armstrong:cgi.pm:2.56

* cpe:/a:andy_armstrong:cgi.pm:2.55

* cpe:/a:andy_armstrong:cgi.pm:2.54

* cpe:/a:andy_armstrong:cgi.pm:2.53

* cpe:/a:andy_armstrong:cgi.pm:2.52

* cpe:/a:andy_armstrong:cgi.pm:2.51

* cpe:/a:andy_armstrong:cgi.pm:2.66

* cpe:/a:andy_armstrong:cgi.pm:2.65

* cpe:/a:andy_armstrong:cgi.pm:2.64

* cpe:/a:andy_armstrong:cgi.pm:2.63

* cpe:/a:andy_armstrong:cgi.pm:2.62

* cpe:/a:andy_armstrong:cgi.pm:2.61

* cpe:/a:andy_armstrong:cgi.pm:2.60

* cpe:/a:andy_armstrong:cgi.pm:2.59

* cpe:/a:andy_armstrong:cgi.pm:1.51

* cpe:/a:andy_armstrong:cgi.pm:1.52

* cpe:/a:andy_armstrong:cgi.pm:1.53

* cpe:/a:andy_armstrong:cgi.pm:1.54

* cpe:/a:andy_armstrong:cgi.pm:1.55

* cpe:/a:andy_armstrong:cgi.pm:1.56

* cpe:/a:andy_armstrong:cgi.pm:1.57

* cpe:/a:andy_armstrong:cgi.pm:2.0

* cpe:/a:andy_armstrong:cgi.pm:2.01

* cpe:/a:andy_armstrong:cgi.pm:2.13

* cpe:/a:andy_armstrong:cgi.pm:2.14

* cpe:/a:andy_armstrong:cgi.pm:2.15

* cpe:/a:andy_armstrong:cgi.pm:2.16

* cpe:/a:andy_armstrong:cgi.pm:2.17

* cpe:/a:andy_armstrong:cgi.pm:2.18

* cpe:/a:andy_armstrong:cgi.pm:2.19

* cpe:/a:andy_armstrong:cgi.pm:2.21

* cpe:/a:andy_armstrong:cgi.pm:2.20

* cpe:/a:andy_armstrong:cgi.pm:2.23

* cpe:/a:andy_armstrong:cgi.pm:2.22

* cpe:/a:andy_armstrong:cgi.pm:2.25

* cpe:/a:andy_armstrong:cgi.pm:2.24

* cpe:/a:andy_armstrong:cgi.pm:2.27

* cpe:/a:andy_armstrong:cgi.pm:2.26

* cpe:/a:andy_armstrong:cgi.pm:2.29

* cpe:/a:andy_armstrong:cgi.pm:2.28

* cpe:/a:andy_armstrong:cgi.pm:2.31

* cpe:/a:andy_armstrong:cgi.pm:2.30

* cpe:/a:andy_armstrong:cgi.pm:2.33

* cpe:/a:andy_armstrong:cgi.pm:2.32

* cpe:/a:andy_armstrong:cgi.pm:2.35

* cpe:/a:andy_armstrong:cgi.pm:2.34

* cpe:/a:andy_armstrong:cgi.pm:1.42

* cpe:/a:andy_armstrong:cgi.pm:1.4

* cpe:/a:andy_armstrong:cgi.pm:1.50

* cpe:/a:andy_armstrong:cgi.pm:1.45

* cpe:/a:andy_armstrong:cgi.pm:1.44

* cpe:/a:andy_armstrong:cgi.pm:1.43

* cpe:/a:andy_armstrong:cgi.pm:2.96

* cpe:/a:andy_armstrong:cgi.pm:3.49

* cpe:/a:andy_armstrong:cgi.pm:3.38

* cpe:/a:andy_armstrong:cgi.pm:3.37

* cpe:/a:andy_armstrong:cgi.pm:3.40

* cpe:/a:andy_armstrong:cgi.pm:3.39

* cpe:/a:andy_armstrong:cgi.pm:3.42

* cpe:/a:andy_armstrong:cgi.pm:3.41

* cpe:/a:andy_armstrong:cgi.pm:3.44

* cpe:/a:andy_armstrong:cgi.pm:3.43

* cpe:/a:andy_armstrong:cgi.pm:3.30

* cpe:/a:andy_armstrong:cgi.pm:3.29

* cpe:/a:andy_armstrong:cgi.pm:3.32

* cpe:/a:andy_armstrong:cgi.pm:3.31

* cpe:/a:andy_armstrong:cgi.pm:3.34

* cpe:/a:andy_armstrong:cgi.pm:3.33

* cpe:/a:andy_armstrong:cgi.pm:3.36

* cpe:/a:andy_armstrong:cgi.pm:3.35

* cpe:/a:andy_armstrong:cgi.pm:3.45

* cpe:/a:andy_armstrong:cgi.pm:3.46

* cpe:/a:andy_armstrong:cgi.pm:3.47

* cpe:/a:andy_armstrong:cgi.pm:3.48

* cpe:/a:andy_armstrong:cgi.pm:3.08

* cpe:/a:andy_armstrong:cgi.pm:3.07

* cpe:/a:andy_armstrong:cgi.pm:3.06

* cpe:/a:andy_armstrong:cgi.pm:3.05

* cpe:/a:andy_armstrong:cgi.pm:3.12

* cpe:/a:andy_armstrong:cgi.pm:3.11

* cpe:/a:andy_armstrong:cgi.pm:3.10

* cpe:/a:andy_armstrong:cgi.pm:3.09

* cpe:/a:andy_armstrong:cgi.pm:3.00

* cpe:/a:andy_armstrong:cgi.pm:2.99

* cpe:/a:andy_armstrong:cgi.pm:2.98

* cpe:/a:andy_armstrong:cgi.pm:2.97

* cpe:/a:andy_armstrong:cgi.pm:3.04

* cpe:/a:andy_armstrong:cgi.pm:3.03

* cpe:/a:andy_armstrong:cgi.pm:3.02

* cpe:/a:andy_armstrong:cgi.pm:3.01

* cpe:/a:andy_armstrong:cgi.pm:3.23

* cpe:/a:andy_armstrong:cgi.pm:3.24

* cpe:/a:andy_armstrong:cgi.pm:3.21

* cpe:/a:andy_armstrong:cgi.pm:3.22

* cpe:/a:andy_armstrong:cgi.pm:3.27

* cpe:/a:andy_armstrong:cgi.pm:3.28

* cpe:/a:andy_armstrong:cgi.pm:3.25

* cpe:/a:andy_armstrong:cgi.pm:3.26

* cpe:/a:andy_armstrong:cgi.pm:3.15

* cpe:/a:andy_armstrong:cgi.pm:3.16

* cpe:/a:andy_armstrong:cgi.pm:3.13

* cpe:/a:andy_armstrong:cgi.pm:3.14

* cpe:/a:andy_armstrong:cgi.pm:3.19

* cpe:/a:andy_armstrong:cgi.pm:3.20

* cpe:/a:andy_armstrong:cgi.pm:3.17

* cpe:/a:andy_armstrong:cgi.pm:3.18

* cpe:/a:andy_armstrong:cgi.pm:3.50 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Insufficient Information (NVD-CWE-noinfo)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4411