Vulnerability Details CVE-2012-5526
CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.017
EPSS Ranking 81.3%
CVSS Severity
CVSS v2 Score 5.0
References
- http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://rhn.redhat.com/errata/RHSA-2013-0685.html
- http://secunia.com/advisories/51457
- http://secunia.com/advisories/55314
- http://www.debian.org/security/2012/dsa-2586
- http://www.openwall.com/lists/oss-security/2012/11/15/6
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/bid/56562
- http://www.securitytracker.com/id?1027780
- http://www.ubuntu.com/usn/USN-1643-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80098
- https://github.com/markstos/CGI.pm/pull/23
- http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://rhn.redhat.com/errata/RHSA-2013-0685.html
- http://secunia.com/advisories/51457
- http://secunia.com/advisories/55314
- http://www.debian.org/security/2012/dsa-2586
- http://www.openwall.com/lists/oss-security/2012/11/15/6
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/bid/56562
- http://www.securitytracker.com/id?1027780
- http://www.ubuntu.com/usn/USN-1643-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80098
- https://github.com/markstos/CGI.pm/pull/23
Products affected by CVE-2012-5526
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.4
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.42
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.43
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.44
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.45
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.50
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.51
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.52
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.53
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.54
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.55
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.56
-
cpe:2.3:a:andy_armstrong:cgi.pm:1.57
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.0
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.01
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.13
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.14
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.15
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.16
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.17
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.18
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.19
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.20
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.21
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.22
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.23
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.24
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.25
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.26
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.27
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.28
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.29
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.30
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.31
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.32
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.33
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.34
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.35
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.36
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.37
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.38
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.39
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.40
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.41
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.42
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.43
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.44
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.45
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.46
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.47
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.48
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.49
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.50
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.51
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.52
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.53
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.54
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.55
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.56
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.57
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.58
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.59
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.60
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.61
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.62
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.63
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.64
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.65
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.66
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.67
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.68
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.69
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.70
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.71
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.72
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.73
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.74
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.75
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.751
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.752
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.76
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.77
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.78
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.79
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.80
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.81
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.82
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.83
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.84
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.85
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.86
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.87
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.88
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.89
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.90
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.91
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.92
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.93
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.94
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.95
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.96
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.97
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.98
-
cpe:2.3:a:andy_armstrong:cgi.pm:2.99
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.00
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.01
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.02
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.03
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.04
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.05
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.06
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.07
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.08
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.09
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.10
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.11
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.12
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.13
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.14
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.15
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.16
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.17
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.18
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.19
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.20
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.21
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.22
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.23
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.24
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.25
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.26
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.27
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.28
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.29
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.30
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.31
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.32
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.33
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.34
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.35
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.36
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.37
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.38
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.39
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.40
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.41
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.42
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.43
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.44
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.45
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.46
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.47
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.48
-
cpe:2.3:a:andy_armstrong:cgi.pm:3.49