oss-sec mailing list archives
CVE request for CGI::Application information disclosure flaw
From: "Vincent Danen" <vdanen () redhat com>
Date: Wed, 19 Feb 2014 15:18:43 -0700
I don't believe a CVE was requested for this issue. Looks like it requires a 2013 CVE. Copying-and-pasting from our bug [5]: It was reported [1],[2] that the CGI::Application perl module suffered from a flaw where, in certain cases, it would unexpectedly dump a complete set of web query data and server environment information as an error page. This could allow unintended disclosure of sensitive information. A suggested fix is available [3] and the commit that caused the problem [4] was most likely introduced in version 4.19. [1] https://rt.cpan.org/Public/Bug/Display.html?id=84403 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739505 [3] https://github.com/markstos/CGI--Application/pull/15 [4] https://github.com/markstos/CGI--Application/commit/61d327646f01fe [5] https://bugzilla.redhat.com/show_bug.cgi?id=1067180 Thanks. -- Vincent Danen / Red Hat Security Response Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for CGI::Application information disclosure flaw Vincent Danen (Feb 19)
- Re: CVE request for CGI::Application information disclosure flaw cve-assign (Feb 19)