CVE-2010-2253

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
gisle_aaslibwww-perl
0.01
gisle_aaslibwww-perl
0.02
gisle_aaslibwww-perl
0.03
gisle_aaslibwww-perl
0.04
gisle_aaslibwww-perl
5.00
gisle_aaslibwww-perl
5.01
gisle_aaslibwww-perl
5.02
gisle_aaslibwww-perl
5.03
gisle_aaslibwww-perl
5.04
gisle_aaslibwww-perl
5.05
gisle_aaslibwww-perl
5.06
gisle_aaslibwww-perl
5.07
gisle_aaslibwww-perl
5.08
gisle_aaslibwww-perl
5.09
gisle_aaslibwww-perl
5.10
gisle_aaslibwww-perl
5.11
gisle_aaslibwww-perl
5.12
gisle_aaslibwww-perl
5.13
gisle_aaslibwww-perl
5.14
gisle_aaslibwww-perl
5.15
gisle_aaslibwww-perl
5.16
gisle_aaslibwww-perl
5.17
gisle_aaslibwww-perl
5.18
gisle_aaslibwww-perl
5.18_03:_03
gisle_aaslibwww-perl
5.18_04:_04
gisle_aaslibwww-perl
5.18_05:_05
gisle_aaslibwww-perl
5.19
gisle_aaslibwww-perl
5.20
gisle_aaslibwww-perl
5.21
gisle_aaslibwww-perl
5.22
gisle_aaslibwww-perl
5.30
gisle_aaslibwww-perl
5.31
gisle_aaslibwww-perl
5.32
gisle_aaslibwww-perl
5.33
gisle_aaslibwww-perl
5.34
gisle_aaslibwww-perl
5.35
gisle_aaslibwww-perl
5.36
gisle_aaslibwww-perl
5.41
gisle_aaslibwww-perl
5.42
gisle_aaslibwww-perl
5.43
gisle_aaslibwww-perl
5.44
gisle_aaslibwww-perl
5.45
gisle_aaslibwww-perl
5.46
gisle_aaslibwww-perl
5.47
gisle_aaslibwww-perl
5.48
gisle_aaslibwww-perl
5.49
gisle_aaslibwww-perl
5.50
gisle_aaslibwww-perl
5.51
gisle_aaslibwww-perl
5.52
gisle_aaslibwww-perl
5.53
gisle_aaslibwww-perl
5.53_90:_90
gisle_aaslibwww-perl
5.53_91:_91
gisle_aaslibwww-perl
5.53_92:_92
gisle_aaslibwww-perl
5.53_93:_93
gisle_aaslibwww-perl
5.53_94:_94
gisle_aaslibwww-perl
5.53_95:_95
gisle_aaslibwww-perl
5.53_96:_96
gisle_aaslibwww-perl
5.53_97:_97
gisle_aaslibwww-perl
5.60
gisle_aaslibwww-perl
5.61
gisle_aaslibwww-perl
5.62
gisle_aaslibwww-perl
5.63
gisle_aaslibwww-perl
5.64
gisle_aaslibwww-perl
5.65
gisle_aaslibwww-perl
5.66
gisle_aaslibwww-perl
5.67
gisle_aaslibwww-perl
5.68
gisle_aaslibwww-perl
5.69
gisle_aaslibwww-perl
5.70
gisle_aaslibwww-perl
5.71
gisle_aaslibwww-perl
5.72
gisle_aaslibwww-perl
5.73
gisle_aaslibwww-perl
5.74
gisle_aaslibwww-perl
5.75
gisle_aaslibwww-perl
5.76
gisle_aaslibwww-perl
5.77
gisle_aaslibwww-perl
5.78
gisle_aaslibwww-perl
5.79
gisle_aaslibwww-perl
5.800
gisle_aaslibwww-perl
5.801
gisle_aaslibwww-perl
5.802
gisle_aaslibwww-perl
5.803
gisle_aaslibwww-perl
5.804
gisle_aaslibwww-perl
5.805
gisle_aaslibwww-perl
5.806
gisle_aaslibwww-perl
5.807
gisle_aaslibwww-perl
5.808
gisle_aaslibwww-perl
5.810
gisle_aaslibwww-perl
5.811
gisle_aaslibwww-perl
5.812
gisle_aaslibwww-perl
5.813
gisle_aaslibwww-perl
5.814
gisle_aaslibwww-perl
5.815
gisle_aaslibwww-perl
5.816
gisle_aaslibwww-perl
5.817
gisle_aaslibwww-perl
5.818
gisle_aaslibwww-perl
5.819
gisle_aaslibwww-perl
5.820
gisle_aaslibwww-perl
5.821
gisle_aaslibwww-perl
5.822
gisle_aaslibwww-perl
5.823
gisle_aaslibwww-perl
5.824
gisle_aaslibwww-perl
5.825
gisle_aaslibwww-perl
5.826
gisle_aaslibwww-perl
5.827
gisle_aaslibwww-perl
5.828
gisle_aaslibwww-perl
5.829
gisle_aaslibwww-perl
5.830
gisle_aaslibwww-perl
5.831
gisle_aaslibwww-perl
5.832
gisle_aaslibwww-perl
5.833
search.cpanlibwww-perl
𝑥
≤ 5.834
search.cpanlibwww-perl
5.40_01:_01
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libwww-perl
bullseye
6.52-1
fixed
bookworm
6.68-1
fixed
sid
6.77-1
fixed
trixie
6.77-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libwww-perl
lucid
Fixed 5.834-1ubuntu0.1
released
karmic
Fixed 5.831-1ubuntu0.1
released
jaunty
Fixed 5.820-1ubuntu0.1
released
hardy
Fixed 5.808-1ubuntu0.1
released
dapper
Fixed 5.803-4ubuntu0.1
released
Common Weakness Enumeration
References
http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050232.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050245.html
http://marc.info/?l=oss-security&m=127411372529485&w=2
http://marc.info/?l=oss-security&m=127611288927500&w=2
http://www.ocert.org/advisories/ocert-2010-001.html
http://www.ubuntu.com/usn/USN-981-1
http://www.vupen.com/english/advisories/2010/2872
https://bugzilla.redhat.com/show_bug.cgi?id=591580
https://bugzilla.redhat.com/show_bug.cgi?id=602800
http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050232.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050245.html
http://marc.info/?l=oss-security&m=127411372529485&w=2
http://marc.info/?l=oss-security&m=127611288927500&w=2
http://www.ocert.org/advisories/ocert-2010-001.html
http://www.ubuntu.com/usn/USN-981-1
http://www.vupen.com/english/advisories/2010/2872
https://bugzilla.redhat.com/show_bug.cgi?id=591580
https://bugzilla.redhat.com/show_bug.cgi?id=602800