CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Details : CVE-2012-5526

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.
Publish Date : 2012-11-21 Last Update Date : 2017-08-28
Search Twitter   Search YouTube   Search Google

- CVSS Scores & Vulnerability Types

CVSS Score
5.0
Confidentiality Impact None (There is no impact to the confidentiality of the system.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s)
CWE ID 16

- Related OVAL Definitions

Title Definition Id Class Family
DEPRECATED: ELSA-2013-0685 -- perl security update (moderate) oval:org.mitre.oval:def:27634 unix
DEPRECATED: ELSA-2013:0685: perl security update (Moderate) oval:org.mitre.oval:def:23419 unix
DEPRECATED: Security vulnerabilities in Perl for AIX oval:org.mitre.oval:def:20566 unix
DSA-2586-1 perl - several oval:org.mitre.oval:def:19449 unix
DSA-2587-1 libcgi-pm-perl - HTTP header injection oval:org.mitre.oval:def:17940 unix
ELSA-2013:0685: perl security update (Moderate) oval:org.mitre.oval:def:23712 unix
RHSA-2013:0685: perl security update (Moderate) oval:org.mitre.oval:def:20994 unix
RHSA-2013:0685: perl security update (Moderate) oval:com.redhat.rhsa:def:20130685 unix
Security vulnerabilities in Perl for AIX oval:org.mitre.oval:def:21064 unix
SUSE-SU-2013:0441-1 -- Security update for Perl oval:org.mitre.oval:def:26263 unix
SUSE-SU-2013:0442-1 -- Security update for Perl oval:org.mitre.oval:def:26050 unix
OVAL (Open Vulnerability and Assessment Language) definitions define exactly what should be done to verify a vulnerability or a missing patch. Check out the OVAL definitions if you want to learn what you should do to verify a vulnerability.

- Products Affected By CVE-2012-5526

# Product Type Vendor Product Version Update Edition Language
1 Application Andy Armstrong Cgi.pm 3.62 Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
Andy Armstrong Cgi.pm 1

- References For CVE-2012-5526

https://github.com/markstos/CGI.pm/pull/23
http://www.securityfocus.com/bid/56562
BID 56562 Perl CGI.pm 'Set-Cookie' and 'P3P' Headers HTTP Header Injection Vulnerability Release Date:2016-07-29
http://www.securitytracker.com/id?1027780
SECTRACK 1027780
http://www.openwall.com/lists/oss-security/2012/11/15/6
MLIST [oss-security] 20121115 Re: CVE Request -- perl-CGI: Newline injection due to improper CRLF escaping in Set-Cookie and P3P headers
https://exchange.xforce.ibmcloud.com/vulnerabilities/80098
XF perl-cgipm-header-injection(80098)
http://www.ubuntu.com/usn/USN-1643-1
UBUNTU USN-1643-1
http://rhn.redhat.com/errata/RHSA-2013-0685.html
REDHAT RHSA-2013:0685
http://www.debian.org/security/2012/dsa-2586
DEBIAN DSA-2586
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html CONFIRM
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 CONFIRM
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 CONFIRM
http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes CONFIRM

- Metasploit Modules Related To CVE-2012-5526

There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information)


CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.