CVE-2011-2767

mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
debianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
apachemod_perl
2.0.0 ≤
𝑥
≤ 2.0.10
debiandebian_linux
8.0
redhatenterprise_linux
6.0
redhatenterprise_linux
6.7
redhatenterprise_linux
7.0
redhatenterprise_linux
7.3
redhatenterprise_linux
7.4
redhatenterprise_linux
7.5
redhatenterprise_linux
7.6
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_workstation
6.0
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libapache2-mod-perl2
bullseye
2.0.11-4
fixed
bookworm
2.0.12-1
fixed
sid
2.0.13-2
fixed
trixie
2.0.13-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libapache2-mod-perl2
cosmic
Fixed 2.0.10-2ubuntu3.18.10.1
released
bionic
Fixed 2.0.10-2ubuntu3.18.04.1
released
xenial
Fixed 2.0.9-4ubuntu1.2
released
trusty
Fixed 2.0.8+httpd24-r1449661-6ubuntu2.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html
http://www.securityfocus.com/bid/105195
https://access.redhat.com/errata/RHSA-2018:2737
https://access.redhat.com/errata/RHSA-2018:2825
https://access.redhat.com/errata/RHSA-2018:2826
https://bugs.debian.org/644169
https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html
https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E
https://usn.ubuntu.com/3825-1/
https://usn.ubuntu.com/3825-2/
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html
http://www.securityfocus.com/bid/105195
https://access.redhat.com/errata/RHSA-2018:2737
https://access.redhat.com/errata/RHSA-2018:2825
https://access.redhat.com/errata/RHSA-2018:2826
https://bugs.debian.org/644169
https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html
https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E
https://usn.ubuntu.com/3825-1/
https://usn.ubuntu.com/3825-2/