CVE-2011-2767 Information

Feb 14, 2021 cve

Description

mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator’s control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html http://www.securityfocus.com/bid/105195 https://access.redhat.com/errata/RHSA-2018:2737 https://access.redhat.com/errata/RHSA-2018:2825 https://access.redhat.com/errata/RHSA-2018:2826 https://bugs.debian.org/644169 https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d@3Cmodperl-cvs.perl.apache.org3E https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/3C20111004084343.GA2129040ktnx.net3E https://usn.ubuntu.com/3825-1/ https://usn.ubuntu.com/3825-2/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: