Vulnerability Details : CVE-2013-4407
HTTP::Body::Multipart in the HTTP-Body module for Perl (1.07 through 1.22, before 1.23) uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.
Products affected by CVE-2013-4407
- cpe:2.3:a:http-body_project:http-body:*:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.10:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.09:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.02:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.01:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.03:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.16:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.08:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.07:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.00:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.01:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.12:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.11:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.04:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.03:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.15:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.14:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.06:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:1.05:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:http-body_project:http-body:0.7:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4407
1.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4407
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
References for CVE-2013-4407
-
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git;a=commit;h=13ac5b23c083bc56e32dd706ca02fca292bd2161
git.shadowcat.co.uk Git - catagits/HTTP-Body.git/commit
-
https://www.openwall.com/lists/oss-security/2024/04/07/1
oss-security - HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407
-
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba=commit%3Bh=cc75c886256f187cda388641931e8dafad6c2346
git.shadowcat.co.uk Git
-
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git;a=commit;h=cc75c886256f187cda388641931e8dafad6c2346
git.shadowcat.co.uk Git - catagits/HTTP-Body.git/commit
-
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba=commit%3Bh=13ac5b23c083bc56e32dd706ca02fca292bd2161
git.shadowcat.co.uk Git
-
http://www.debian.org/security/2013/dsa-2801
Debian -- Security Information -- DSA-2801-1 libhttp-body-perl
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
#721634 - libhttp-body-perl: CVE-2013-4407: HTTP::Body::Multipart critical security bug - Debian Bug report logs
-
https://metacpan.org/release/GETTY/HTTP-Body-1.23/
HTTP-Body-1.23 - HTTP Body Parser - metacpan.org
-
http://www.openwall.com/lists/oss-security/2024/04/07/1
oss-security - HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407
-
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00018.html
[security-announce] openSUSE-SU-2014:0433-1: important: perl-HTTP-Body:
Jump to