CVE-2011-2767

Published: Aug 26, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.

Affected (17)

Products: Apache: Mod Perl · Debian: Debian Linux · Redhat: Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · +1 more

Show all products

Apache: Mod Perl · Debian: Debian Linux · Redhat: Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · Canonical: Ubuntu Linux

1 product

1 product

4 products

Enterprise Linux

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Mod Perl	From 2.0.0 to 2.0.10

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Configuration C

10 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 6.7
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 7.3
Redhat Enterprise Linux	Version 7.4
Redhat Enterprise Linux	Version 7.5
Redhat Enterprise Linux	Version 7.6
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Workstation	Version 6.0

Configuration D

5 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 18.10

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (24)

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html

Source: security@debian.org

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html

Source: security@debian.org

http://www.securityfocus.com/bid/105195

Source: security@debian.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:2737

Source: security@debian.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2825

Source: security@debian.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2826

Source: security@debian.org

Third Party Advisory

https://bugs.debian.org/644169

Source: security@debian.org

Issue TrackingMailing ListThird Party Advisory

https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3E

Source: security@debian.org

https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html

Source: security@debian.org

Mailing ListThird Party Advisory

https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E

Source: security@debian.org

Mailing ListThird Party Advisory

https://usn.ubuntu.com/3825-1/

Source: security@debian.org

Third Party Advisory

https://usn.ubuntu.com/3825-2/

Source: security@debian.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/105195

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:2737

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2825

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2826

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugs.debian.org/644169

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingMailing ListThird Party Advisory

https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://usn.ubuntu.com/3825-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/3825-2/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.