ID CVE-2007-1349
Summary PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:apache_test:-:*:*:*:*:*:*:*
    cpe:2.3:a:apache:apache_test:-:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:apache_test:1.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:apache_test:1.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:mod_perl:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:mod_perl:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:mod_perl:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:mod_perl:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:mod_perl:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:mod_perl:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:mod_perl:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:mod_perl:2.0.3:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 11-10-2017 - 01:31)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
oval via4
  • accepted 2013-04-29T04:10:29.086-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.
    family unix
    id oval:org.mitre.oval:def:10987
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.
    version 24
  • accepted 2010-06-07T04:01:05.430-04:00
    class vulnerability
    contributors
    name Pai Peng
    organization Hewlett-Packard
    definition_extensions
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    description PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.
    family unix
    id oval:org.mitre.oval:def:8349
    status accepted
    submitted 2010-03-16T15:16:58.000-04:00
    title Security Vulnerabilities in the Apache 2 "mod_perl2" Module Components "PerlRun.pm" May Lead to Denial of Service (DoS) or Unauthorized Access to Data
    version 32
redhat via4
advisories
  • bugzilla
    id 240423
    title CVE-2007-1349 mod_perl PerlRun denial of service
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhba:tst:20070026001
      • OR
        • AND
          • comment mod_perl is earlier than 0:1.99_09-12.ent
            oval oval:com.redhat.rhsa:tst:20070395002
          • comment mod_perl is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070395003
        • AND
          • comment mod_perl-devel is earlier than 0:1.99_09-12.ent
            oval oval:com.redhat.rhsa:tst:20070395004
          • comment mod_perl-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070395005
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment mod_perl is earlier than 0:1.99_16-4.5
            oval oval:com.redhat.rhsa:tst:20070395007
          • comment mod_perl is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070395003
        • AND
          • comment mod_perl-devel is earlier than 0:1.99_16-4.5
            oval oval:com.redhat.rhsa:tst:20070395008
          • comment mod_perl-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070395005
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment mod_perl is earlier than 0:2.0.2-6.3.el5
            oval oval:com.redhat.rhsa:tst:20070395010
          • comment mod_perl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070395011
        • AND
          • comment mod_perl-devel is earlier than 0:2.0.2-6.3.el5
            oval oval:com.redhat.rhsa:tst:20070395012
          • comment mod_perl-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070395013
    rhsa
    id RHSA-2007:0395
    released 2007-06-14
    severity Low
    title RHSA-2007:0395: mod_perl security update (Low)
  • rhsa
    id RHSA-2007:0396
  • rhsa
    id RHSA-2007:0486
  • rhsa
    id RHSA-2008:0261
  • rhsa
    id RHSA-2008:0627
  • rhsa
    id RHSA-2008:0630
rpms
  • mod_perl-0:1.99_09-12.ent
  • mod_perl-devel-0:1.99_09-12.ent
  • mod_perl-0:1.99_16-4.5
  • mod_perl-devel-0:1.99_16-4.5
  • mod_perl-0:2.0.2-6.3.el5
  • mod_perl-devel-0:2.0.2-6.3.el5
refmap via4
bid 23192
confirm
gentoo GLSA-200705-04
mandriva MDKSA-2007:083
misc http://www.gossamer-threads.com/lists/modperl/modperl/92739
sectrack 1018259
secunia
  • 24678
  • 24839
  • 25072
  • 25110
  • 25432
  • 25655
  • 25730
  • 25894
  • 26084
  • 26231
  • 26290
  • 31490
  • 31493
  • 33720
  • 33723
sgi 20070602-01-P
sunalert
  • 1021508
  • 248386
suse
  • SUSE-SR:2007:008
  • SUSE-SR:2007:012
trustix 2007-0023
ubuntu USN-488-1
vupen ADV-2007-1150
xf modperl-pathinfo-dos(33312)
Last major update 11-10-2017 - 01:31
Published 30-03-2007 - 00:19
Back to Top