CVE-2010-4410

Description

CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172.

Affected products

• andy_armstrong / cgi.pm3.49
• andy_armstrong / cgi.pm1.4 – 1.4
• andy_armstrong / cgi.pm1.42 – 1.42
• andy_armstrong / cgi.pm1.43 – 1.43
• andy_armstrong / cgi.pm1.44 – 1.44
• andy_armstrong / cgi.pm1.45 – 1.45
• andy_armstrong / cgi.pm1.50 – 1.50
• andy_armstrong / cgi.pm1.51 – 1.51
• andy_armstrong / cgi.pm1.52 – 1.52
• andy_armstrong / cgi.pm1.53 – 1.53
• andy_armstrong / cgi.pm1.54 – 1.54
• andy_armstrong / cgi.pm1.55 – 1.55
• andy_armstrong / cgi.pm1.56 – 1.56
• andy_armstrong / cgi.pm1.57 – 1.57
• andy_armstrong / cgi.pm2.0 – 2.0
• andy_armstrong / cgi.pm2.01 – 2.01
• andy_armstrong / cgi.pm2.13 – 2.13
• andy_armstrong / cgi.pm2.14 – 2.14
• andy_armstrong / cgi.pm2.15 – 2.15
• andy_armstrong / cgi.pm2.16 – 2.16
• andy_armstrong / cgi.pm2.17 – 2.17
• andy_armstrong / cgi.pm2.18 – 2.18
• andy_armstrong / cgi.pm2.19 – 2.19
• andy_armstrong / cgi.pm2.20 – 2.20
• andy_armstrong / cgi.pm2.21 – 2.21
• andy_armstrong / cgi.pm2.22 – 2.22
• andy_armstrong / cgi.pm2.23 – 2.23
• andy_armstrong / cgi.pm2.24 – 2.24
• andy_armstrong / cgi.pm2.25 – 2.25
• andy_armstrong / cgi.pm2.26 – 2.26
• andy_armstrong / cgi.pm2.27 – 2.27
• andy_armstrong / cgi.pm2.28 – 2.28
• andy_armstrong / cgi.pm2.29 – 2.29
• andy_armstrong / cgi.pm2.30 – 2.30
• andy_armstrong / cgi.pm2.31 – 2.31
• andy_armstrong / cgi.pm2.32 – 2.32
• andy_armstrong / cgi.pm2.33 – 2.33
• andy_armstrong / cgi.pm2.34 – 2.34
• andy_armstrong / cgi.pm2.35 – 2.35
• andy_armstrong / cgi.pm2.36 – 2.36
• andy_armstrong / cgi.pm2.37 – 2.37
• andy_armstrong / cgi.pm2.38 – 2.38
• andy_armstrong / cgi.pm2.39 – 2.39
• andy_armstrong / cgi.pm2.40 – 2.40
• andy_armstrong / cgi.pm2.41 – 2.41
• andy_armstrong / cgi.pm2.42 – 2.42
• andy_armstrong / cgi.pm2.43 – 2.43
• andy_armstrong / cgi.pm2.44 – 2.44
• andy_armstrong / cgi.pm2.45 – 2.45
• andy_armstrong / cgi.pm2.46 – 2.46
• andy_armstrong / cgi.pm2.47 – 2.47
• andy_armstrong / cgi.pm2.48 – 2.48
• andy_armstrong / cgi.pm2.49 – 2.49
• andy_armstrong / cgi.pm2.50 – 2.50
• andy_armstrong / cgi.pm2.51 – 2.51
• andy_armstrong / cgi.pm2.52 – 2.52
• andy_armstrong / cgi.pm2.53 – 2.53
• andy_armstrong / cgi.pm2.54 – 2.54
• andy_armstrong / cgi.pm2.55 – 2.55
• andy_armstrong / cgi.pm2.56 – 2.56
• andy_armstrong / cgi.pm2.57 – 2.57
• andy_armstrong / cgi.pm2.58 – 2.58
• andy_armstrong / cgi.pm2.59 – 2.59
• andy_armstrong / cgi.pm2.60 – 2.60
• andy_armstrong / cgi.pm2.61 – 2.61
• andy_armstrong / cgi.pm2.62 – 2.62
• andy_armstrong / cgi.pm2.63 – 2.63
• andy_armstrong / cgi.pm2.64 – 2.64
• andy_armstrong / cgi.pm2.65 – 2.65
• andy_armstrong / cgi.pm2.66 – 2.66
• andy_armstrong / cgi.pm2.67 – 2.67
• andy_armstrong / cgi.pm2.68 – 2.68
• andy_armstrong / cgi.pm2.69 – 2.69
• andy_armstrong / cgi.pm2.70 – 2.70
• andy_armstrong / cgi.pm2.71 – 2.71
• andy_armstrong / cgi.pm2.72 – 2.72
• andy_armstrong / cgi.pm2.73 – 2.73
• andy_armstrong / cgi.pm2.74 – 2.74
• andy_armstrong / cgi.pm2.75 – 2.75
• andy_armstrong / cgi.pm2.76 – 2.76
• andy_armstrong / cgi.pm2.77 – 2.77
• andy_armstrong / cgi.pm2.78 – 2.78
• andy_armstrong / cgi.pm2.79 – 2.79
• andy_armstrong / cgi.pm2.80 – 2.80
• andy_armstrong / cgi.pm2.81 – 2.81
• andy_armstrong / cgi.pm2.82 – 2.82
• andy_armstrong / cgi.pm2.83 – 2.83
• andy_armstrong / cgi.pm2.84 – 2.84
• andy_armstrong / cgi.pm2.85 – 2.85
• andy_armstrong / cgi.pm2.86 – 2.86
• andy_armstrong / cgi.pm2.87 – 2.87
• andy_armstrong / cgi.pm2.88 – 2.88
• andy_armstrong / cgi.pm2.89 – 2.89
• andy_armstrong / cgi.pm2.90 – 2.90
• andy_armstrong / cgi.pm2.91 – 2.91
• andy_armstrong / cgi.pm2.92 – 2.92
• andy_armstrong / cgi.pm2.93 – 2.93
• andy_armstrong / cgi.pm2.94 – 2.94
• andy_armstrong / cgi.pm2.95 – 2.95
• andy_armstrong / cgi.pm2.96 – 2.96
• andy_armstrong / cgi.pm2.97 – 2.97
• andy_armstrong / cgi.pm2.98 – 2.98
• andy_armstrong / cgi.pm2.99 – 2.99
• andy_armstrong / cgi.pm2.751 – 2.751
• andy_armstrong / cgi.pm2.752 – 2.752
• andy_armstrong / cgi.pm3.00 – 3.00
• andy_armstrong / cgi.pm3.01 – 3.01
• andy_armstrong / cgi.pm3.02 – 3.02
• andy_armstrong / cgi.pm3.03 – 3.03
• andy_armstrong / cgi.pm3.04 – 3.04
• andy_armstrong / cgi.pm3.05 – 3.05
• andy_armstrong / cgi.pm3.06 – 3.06
• andy_armstrong / cgi.pm3.07 – 3.07
• andy_armstrong / cgi.pm3.08 – 3.08
• andy_armstrong / cgi.pm3.09 – 3.09
• andy_armstrong / cgi.pm3.10 – 3.10
• andy_armstrong / cgi.pm3.11 – 3.11
• andy_armstrong / cgi.pm3.12 – 3.12
• andy_armstrong / cgi.pm3.13 – 3.13
• andy_armstrong / cgi.pm3.14 – 3.14
• andy_armstrong / cgi.pm3.15 – 3.15
• andy_armstrong / cgi.pm3.16 – 3.16
• andy_armstrong / cgi.pm3.17 – 3.17
• andy_armstrong / cgi.pm3.18 – 3.18
• andy_armstrong / cgi.pm3.19 – 3.19
• andy_armstrong / cgi.pm3.20 – 3.20
• andy_armstrong / cgi.pm3.21 – 3.21
• andy_armstrong / cgi.pm3.22 – 3.22
• andy_armstrong / cgi.pm3.23 – 3.23
• andy_armstrong / cgi.pm3.24 – 3.24
• andy_armstrong / cgi.pm3.25 – 3.25
• andy_armstrong / cgi.pm3.26 – 3.26
• andy_armstrong / cgi.pm3.27 – 3.27
• andy_armstrong / cgi.pm3.28 – 3.28
• andy_armstrong / cgi.pm3.29 – 3.29
• andy_armstrong / cgi.pm3.30 – 3.30
• andy_armstrong / cgi.pm3.31 – 3.31
• andy_armstrong / cgi.pm3.32 – 3.32
• andy_armstrong / cgi.pm3.33 – 3.33
• andy_armstrong / cgi.pm3.34 – 3.34
• andy_armstrong / cgi.pm3.35 – 3.35
• andy_armstrong / cgi.pm3.36 – 3.36
• andy_armstrong / cgi.pm3.37 – 3.37
• andy_armstrong / cgi.pm3.38 – 3.38
• andy_armstrong / cgi.pm3.39 – 3.39
• andy_armstrong / cgi.pm3.40 – 3.40
• andy_armstrong / cgi.pm3.41 – 3.41
• andy_armstrong / cgi.pm3.42 – 3.42
• andy_armstrong / cgi.pm3.43 – 3.43
• andy_armstrong / cgi.pm3.44 – 3.44
• andy_armstrong / cgi.pm3.45 – 3.45
• andy_armstrong / cgi.pm3.46 – 3.46
• andy_armstrong / cgi.pm3.47 – 3.47
• andy_armstrong / cgi.pm3.48 – 3.48
• andy_armstrong / cgi-simple1.112
• andy_armstrong / cgi-simple0.078 – 0.078
• andy_armstrong / cgi-simple0.079 – 0.079
• andy_armstrong / cgi-simple0.080 – 0.080
• andy_armstrong / cgi-simple0.081 – 0.081
• andy_armstrong / cgi-simple0.082 – 0.082
• andy_armstrong / cgi-simple0.83 – 0.83
• andy_armstrong / cgi-simple1.0 – 1.0
• andy_armstrong / cgi-simple1.1 – 1.1
• andy_armstrong / cgi-simple1.1.1 – 1.1.1
• andy_armstrong / cgi-simple1.1.2 – 1.1.2
• andy_armstrong / cgi-simple1.103 – 1.103
• andy_armstrong / cgi-simple1.104 – 1.104
• andy_armstrong / cgi-simple1.105 – 1.105
• andy_armstrong / cgi-simple1.106 – 1.106
• andy_armstrong / cgi-simple1.107 – 1.107
• andy_armstrong / cgi-simple1.108 – 1.108
• andy_armstrong / cgi-simple1.109 – 1.109
• andy_armstrong / cgi-simple1.110 – 1.110
• andy_armstrong / cgi-simple1.111 – 1.111

References

• MISChttp://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm
• MISChttp://www.redhat.com/support/errata/RHSA-2011-1797.html
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/43068
• MAILING_LISThttp://openwall.com/lists/oss-security/2010/12/01/2
• MAILING_LISThttp://openwall.com/lists/oss-security/2010/12/01/3
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2011/0212
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:252
• MISChttp://www.securityfocus.com/bid/44199
• MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
• MISChttps://bugzilla.redhat.com/show_bug.cgi?id=658970
• MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
• MISChttp://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3230
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2011/0249
• MISChttp://www.securityfocus.com/bid/45145
• MISChttp://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:237
• MAILING_LISThttp://openwall.com/lists/oss-security/2010/12/01/1
• MISChttp://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html
• MISChttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
• VENDOR_ADVISORYhttp://secunia.com/advisories/43147
• MISChttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735