CVE-2022-31081 : HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.

HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rejected.

Published 2022-06-27 21:15:08

Updated 2023-03-11 06:15:52

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-31081

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Http::daemon Project » Http::daemon
Versions before (<) 6.15
cpe:2.3:a:http\:\:daemon_project:http\:\:daemon:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-31081

EPSS FAQ

0.38%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-31081

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	3.9	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	3.9	3.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2022-31081

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-31081

http://metacpan.org/release/HTTP-Daemon/

HTTP-Daemon-6.14 - A simple http server class - metacpan.org
Release Notes;Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECJ4ZPBQWD3B2CD6RRIVMENB5KUOJ3LC/

[SECURITY] Fedora 38 Update: perl-HTTP-Daemon-6.16-1.fc38 - package-announce - Fedora Mailing-Lists
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn

HTTP Desync Attacks: Request Smuggling Reborn | PortSwigger Research
Exploit;Third Party Advisory

CVEs referencing this url
https://cwe.mitre.org/data/definitions/444.html

CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.7)
Third Party Advisory
https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2

Fix Content-Length ', '-separated string issues · libwww-perl/HTTP-Daemon@e84475d · GitHub
Patch;Third Party Advisory
https://datatracker.ietf.org/doc/html/rfc7230#section-9.5

RFC 7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U4XEPZ5Q3LNOQF3E6EXFWVSEXU5IZ6T/

[SECURITY] Fedora 36 Update: perl-HTTP-Daemon-6.16-1.fc36 - package-announce - Fedora Mailing-Lists
https://lists.debian.org/debian-lts-announce/2022/09/msg00038.html

[SECURITY] [DLA 3127-1] libhttp-daemon-perl security update
Mailing List;Third Party Advisory
https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in HTTP::Daemon · Advisory · libwww-perl/HTTP-Daemon · GitHub
Patch;Third Party Advisory
https://github.com/libwww-perl/HTTP-Daemon/commit/8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0

Include reason in response body content · libwww-perl/HTTP-Daemon@8dc5269 · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQBW2D43TDNYX4R2YBTNNZDBNZ45DINN/

[SECURITY] Fedora 37 Update: perl-HTTP-Daemon-6.16-1.fc37 - package-announce - Fedora Mailing-Lists

Jump to

Vulnerability Details : CVE-2022-31081

Products affected by CVE-2022-31081

Exploit prediction scoring system (EPSS) score for CVE-2022-31081

CVSS scores for CVE-2022-31081

CWE ids for CVE-2022-31081

References for CVE-2022-31081