CVE-2013-4407

HTTP::Body::Multipart in the HTTP-Body module for Perl (1.07 through 1.22, before 1.23) uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
http-body_projecthttp-body
𝑥
≤ 1.17
http-body_projecthttp-body
0.01
http-body_projecthttp-body
0.2
http-body_projecthttp-body
0.03
http-body_projecthttp-body
0.4
http-body_projecthttp-body
0.5
http-body_projecthttp-body
0.6
http-body_projecthttp-body
0.7
http-body_projecthttp-body
0.8
http-body_projecthttp-body
0.9
http-body_projecthttp-body
1.00
http-body_projecthttp-body
1.01
http-body_projecthttp-body
1.02
http-body_projecthttp-body
1.03
http-body_projecthttp-body
1.04
http-body_projecthttp-body
1.05
http-body_projecthttp-body
1.06
http-body_projecthttp-body
1.07
http-body_projecthttp-body
1.08
http-body_projecthttp-body
1.09
http-body_projecthttp-body
1.10
http-body_projecthttp-body
1.11
http-body_projecthttp-body
1.12
http-body_projecthttp-body
1.14
http-body_projecthttp-body
1.15
http-body_projecthttp-body
1.16
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libhttp-body-perl
bullseye
1.22-1.1
fixed
squeeze
not-affected
sid
1.22-2
fixed
trixie
1.22-2
fixed
bookworm
1.22-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libhttp-body-perl
vivid
not-affected
utopic
not-affected
trusty
dne
precise
Fixed 1.11-1+deb7u1build0.12.04.1
released
lucid
ignored
References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba=commit%3Bh=13ac5b23c083bc56e32dd706ca02fca292bd2161
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba=commit%3Bh=cc75c886256f187cda388641931e8dafad6c2346
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00018.html
http://www.debian.org/security/2013/dsa-2801
http://www.openwall.com/lists/oss-security/2024/04/07/1
https://metacpan.org/release/GETTY/HTTP-Body-1.23/
https://www.openwall.com/lists/oss-security/2024/04/07/1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba=commit%3Bh=13ac5b23c083bc56e32dd706ca02fca292bd2161
http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba=commit%3Bh=cc75c886256f187cda388641931e8dafad6c2346
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00018.html
http://www.debian.org/security/2013/dsa-2801
http://www.openwall.com/lists/oss-security/2024/04/07/1
https://metacpan.org/release/GETTY/HTTP-Body-1.23/
https://www.openwall.com/lists/oss-security/2024/04/07/1