CVE-2010-2761

Published: Dec 6, 2010Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.

Affected (174)

Products: Andy Armstrong: Cgi.pm, Cgi Simple

Andy Armstrong

2 products

Cgi.pm

Cgi Simple

Configuration A

174 vulnerable

Vulnerable Software	Affected Versions
Andy Armstrong Cgi.pm	Up to 3.49
Andy Armstrong Cgi.pm	Version 1.42
Andy Armstrong Cgi.pm	Version 1.43
Andy Armstrong Cgi.pm	Version 1.44
Andy Armstrong Cgi.pm	Version 1.45
Andy Armstrong Cgi.pm	Version 1.4
Andy Armstrong Cgi.pm	Version 1.50
Andy Armstrong Cgi.pm	Version 1.51
Andy Armstrong Cgi.pm	Version 1.52
Andy Armstrong Cgi.pm	Version 1.53
Andy Armstrong Cgi.pm	Version 1.54
Andy Armstrong Cgi.pm	Version 1.55
Andy Armstrong Cgi.pm	Version 1.56
Andy Armstrong Cgi.pm	Version 1.57
Andy Armstrong Cgi.pm	Version 2.01
Andy Armstrong Cgi.pm	Version 2.0
Andy Armstrong Cgi.pm	Version 2.13
Andy Armstrong Cgi.pm	Version 2.14
Andy Armstrong Cgi.pm	Version 2.15
Andy Armstrong Cgi.pm	Version 2.16
Andy Armstrong Cgi.pm	Version 2.17
Andy Armstrong Cgi.pm	Version 2.18
Andy Armstrong Cgi.pm	Version 2.19
Andy Armstrong Cgi.pm	Version 2.20
Andy Armstrong Cgi.pm	Version 2.21
Andy Armstrong Cgi.pm	Version 2.22
Andy Armstrong Cgi.pm	Version 2.23
Andy Armstrong Cgi.pm	Version 2.24
Andy Armstrong Cgi.pm	Version 2.25
Andy Armstrong Cgi.pm	Version 2.26
Andy Armstrong Cgi.pm	Version 2.27
Andy Armstrong Cgi.pm	Version 2.28
Andy Armstrong Cgi.pm	Version 2.29
Andy Armstrong Cgi.pm	Version 2.30
Andy Armstrong Cgi.pm	Version 2.31
Andy Armstrong Cgi.pm	Version 2.32
Andy Armstrong Cgi.pm	Version 2.33
Andy Armstrong Cgi.pm	Version 2.34
Andy Armstrong Cgi.pm	Version 2.35
Andy Armstrong Cgi.pm	Version 2.36
Andy Armstrong Cgi.pm	Version 2.37
Andy Armstrong Cgi.pm	Version 2.38
Andy Armstrong Cgi.pm	Version 2.39
Andy Armstrong Cgi.pm	Version 2.40
Andy Armstrong Cgi.pm	Version 2.41
Andy Armstrong Cgi.pm	Version 2.42
Andy Armstrong Cgi.pm	Version 2.43
Andy Armstrong Cgi.pm	Version 2.44
Andy Armstrong Cgi.pm	Version 2.45
Andy Armstrong Cgi.pm	Version 2.46
Andy Armstrong Cgi.pm	Version 2.47
Andy Armstrong Cgi.pm	Version 2.48
Andy Armstrong Cgi.pm	Version 2.49
Andy Armstrong Cgi.pm	Version 2.50
Andy Armstrong Cgi.pm	Version 2.51
Andy Armstrong Cgi.pm	Version 2.52
Andy Armstrong Cgi.pm	Version 2.53
Andy Armstrong Cgi.pm	Version 2.54
Andy Armstrong Cgi.pm	Version 2.55
Andy Armstrong Cgi.pm	Version 2.56
Andy Armstrong Cgi.pm	Version 2.57
Andy Armstrong Cgi.pm	Version 2.58
Andy Armstrong Cgi.pm	Version 2.59
Andy Armstrong Cgi.pm	Version 2.60
Andy Armstrong Cgi.pm	Version 2.61
Andy Armstrong Cgi.pm	Version 2.62
Andy Armstrong Cgi.pm	Version 2.63
Andy Armstrong Cgi.pm	Version 2.64
Andy Armstrong Cgi.pm	Version 2.65
Andy Armstrong Cgi.pm	Version 2.66
Andy Armstrong Cgi.pm	Version 2.67
Andy Armstrong Cgi.pm	Version 2.68
Andy Armstrong Cgi.pm	Version 2.69
Andy Armstrong Cgi.pm	Version 2.70
Andy Armstrong Cgi.pm	Version 2.71
Andy Armstrong Cgi.pm	Version 2.72
Andy Armstrong Cgi.pm	Version 2.73
Andy Armstrong Cgi.pm	Version 2.74
Andy Armstrong Cgi.pm	Version 2.751
Andy Armstrong Cgi.pm	Version 2.752
Andy Armstrong Cgi.pm	Version 2.75
Andy Armstrong Cgi.pm	Version 2.76
Andy Armstrong Cgi.pm	Version 2.77
Andy Armstrong Cgi.pm	Version 2.78
Andy Armstrong Cgi.pm	Version 2.79
Andy Armstrong Cgi.pm	Version 2.80
Andy Armstrong Cgi.pm	Version 2.81
Andy Armstrong Cgi.pm	Version 2.82
Andy Armstrong Cgi.pm	Version 2.83
Andy Armstrong Cgi.pm	Version 2.84
Andy Armstrong Cgi.pm	Version 2.85
Andy Armstrong Cgi.pm	Version 2.86
Andy Armstrong Cgi.pm	Version 2.87
Andy Armstrong Cgi.pm	Version 2.88
Andy Armstrong Cgi.pm	Version 2.89
Andy Armstrong Cgi.pm	Version 2.90
Andy Armstrong Cgi.pm	Version 2.91
Andy Armstrong Cgi.pm	Version 2.92
Andy Armstrong Cgi.pm	Version 2.93
Andy Armstrong Cgi.pm	Version 2.94
Andy Armstrong Cgi.pm	Version 2.95
Andy Armstrong Cgi.pm	Version 2.96
Andy Armstrong Cgi.pm	Version 2.97
Andy Armstrong Cgi.pm	Version 2.98
Andy Armstrong Cgi.pm	Version 2.99
Andy Armstrong Cgi.pm	Version 3.00
Andy Armstrong Cgi.pm	Version 3.01
Andy Armstrong Cgi.pm	Version 3.02
Andy Armstrong Cgi.pm	Version 3.03
Andy Armstrong Cgi.pm	Version 3.04
Andy Armstrong Cgi.pm	Version 3.05
Andy Armstrong Cgi.pm	Version 3.06
Andy Armstrong Cgi.pm	Version 3.07
Andy Armstrong Cgi.pm	Version 3.08
Andy Armstrong Cgi.pm	Version 3.09
Andy Armstrong Cgi.pm	Version 3.10
Andy Armstrong Cgi.pm	Version 3.11
Andy Armstrong Cgi.pm	Version 3.12
Andy Armstrong Cgi.pm	Version 3.13
Andy Armstrong Cgi.pm	Version 3.14
Andy Armstrong Cgi.pm	Version 3.15
Andy Armstrong Cgi.pm	Version 3.16
Andy Armstrong Cgi.pm	Version 3.17
Andy Armstrong Cgi.pm	Version 3.18
Andy Armstrong Cgi.pm	Version 3.19
Andy Armstrong Cgi.pm	Version 3.20
Andy Armstrong Cgi.pm	Version 3.21
Andy Armstrong Cgi.pm	Version 3.22
Andy Armstrong Cgi.pm	Version 3.23
Andy Armstrong Cgi.pm	Version 3.24
Andy Armstrong Cgi.pm	Version 3.25
Andy Armstrong Cgi.pm	Version 3.26
Andy Armstrong Cgi.pm	Version 3.27
Andy Armstrong Cgi.pm	Version 3.28
Andy Armstrong Cgi.pm	Version 3.29
Andy Armstrong Cgi.pm	Version 3.30
Andy Armstrong Cgi.pm	Version 3.31
Andy Armstrong Cgi.pm	Version 3.32
Andy Armstrong Cgi.pm	Version 3.33
Andy Armstrong Cgi.pm	Version 3.34
Andy Armstrong Cgi.pm	Version 3.35
Andy Armstrong Cgi.pm	Version 3.36
Andy Armstrong Cgi.pm	Version 3.37
Andy Armstrong Cgi.pm	Version 3.38
Andy Armstrong Cgi.pm	Version 3.39
Andy Armstrong Cgi.pm	Version 3.40
Andy Armstrong Cgi.pm	Version 3.41
Andy Armstrong Cgi.pm	Version 3.42
Andy Armstrong Cgi.pm	Version 3.43
Andy Armstrong Cgi.pm	Version 3.44
Andy Armstrong Cgi.pm	Version 3.45
Andy Armstrong Cgi.pm	Version 3.46
Andy Armstrong Cgi.pm	Version 3.47
Andy Armstrong Cgi.pm	Version 3.48
Andy Armstrong Cgi Simple	Up to 1.112
Andy Armstrong Cgi Simple	Version 0.078
Andy Armstrong Cgi Simple	Version 0.079
Andy Armstrong Cgi Simple	Version 0.080
Andy Armstrong Cgi Simple	Version 0.081
Andy Armstrong Cgi Simple	Version 0.082
Andy Armstrong Cgi Simple	Version 0.83
Andy Armstrong Cgi Simple	Version 1.0
Andy Armstrong Cgi Simple	Version 1.1.1
Andy Armstrong Cgi Simple	Version 1.1.2
Andy Armstrong Cgi Simple	Version 1.103
Andy Armstrong Cgi Simple	Version 1.104
Andy Armstrong Cgi Simple	Version 1.105
Andy Armstrong Cgi Simple	Version 1.106
Andy Armstrong Cgi Simple	Version 1.107
Andy Armstrong Cgi Simple	Version 1.108
Andy Armstrong Cgi Simple	Version 1.109
Andy Armstrong Cgi Simple	Version 1.110
Andy Armstrong Cgi Simple	Version 1.111
Andy Armstrong Cgi Simple	Version 1.1

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (70)

http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes

Source: cve@mitre.org

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

Source: cve@mitre.org

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html

Source: cve@mitre.org

http://openwall.com/lists/oss-security/2010/12/01/1

Source: cve@mitre.org

Patch

http://openwall.com/lists/oss-security/2010/12/01/2

Source: cve@mitre.org

http://openwall.com/lists/oss-security/2010/12/01/3

Source: cve@mitre.org

Patch

http://osvdb.org/69588

Source: cve@mitre.org

http://osvdb.org/69589

Source: cve@mitre.org

http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm

Source: cve@mitre.org

Patch

http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1

Source: cve@mitre.org

Patch

http://secunia.com/advisories/42877

Source: cve@mitre.org

http://secunia.com/advisories/43033

Source: cve@mitre.org

http://secunia.com/advisories/43068

Source: cve@mitre.org

http://secunia.com/advisories/43147

Source: cve@mitre.org

http://secunia.com/advisories/43165

Source: cve@mitre.org

http://www.bugzilla.org/security/3.2.9/

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2010:237

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2010:250

Source: cve@mitre.org

http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html

Source: cve@mitre.org

Patch

http://www.redhat.com/support/errata/RHSA-2011-1797.html

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2011/0076

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2011/0207

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2011/0212

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2011/0249

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2011/0271

Source: cve@mitre.org

https://bugzilla.mozilla.org/show_bug.cgi?id=591165

Source: cve@mitre.org

https://bugzilla.mozilla.org/show_bug.cgi?id=600464

Source: cve@mitre.org

https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380

Source: cve@mitre.org

Patch

http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes