CVE-2013-4407 - HTTP::Body::Multipart in the HTTP-Body module for Perl (1.07 through 1.22, before 1.23) uses the par

CVE-2013-4407

Summary

HTTP::Body::Multipart in the HTTP-Body module for Perl (1.07 through 1.22, before 1.23) uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.

References

Vulnerable Configurations

cpe:2.3:a:http-body_project:http-body:1.05:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.05:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.01:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.01:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.2:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.2:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.9:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.9:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.01:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.01:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.03:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.03:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.4:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.4:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.5:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.5:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.6:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.6:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.7:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.7:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.8:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:0.8:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.00:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.00:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.02:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.02:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.03:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.03:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.04:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.04:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.06:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.06:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.07:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.07:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.08:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.08:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.09:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.09:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.10:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.10:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.11:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.11:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.12:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.12:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.14:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.14:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.15:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.15:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.16:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.16:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.17:*:*:*:*:*:*:*
cpe:2.3:a:http-body_project:http-body:1.17:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 12-04-2024 - 16:15)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

confirm	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
debian	DSA-2801
suse	openSUSE-SU-2014:0433

Last major update

12-04-2024 - 16:15

Published

23-11-2013 - 18:55

Last modified

12-04-2024 - 16:15