oss-sec mailing list archives

CVE request for CGI::Application information disclosure flaw

From: "Vincent Danen" <vdanen () redhat com>
Date: Wed, 19 Feb 2014 15:18:43 -0700

I don't believe a CVE was requested for this issue.  Looks like it requires a 2013 CVE.  Copying-and-pasting from our 
bug [5]:


It was reported [1],[2] that the CGI::Application perl module suffered from a flaw where, in certain cases, it would 
unexpectedly dump a complete set of web query data and server environment information as an error page.  This could 
allow unintended disclosure of sensitive information.

A suggested fix is available [3] and the commit that caused the problem [4] was most likely introduced in version 4.19.


[1] https://rt.cpan.org/Public/Bug/Display.html?id=84403
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739505
[3] https://github.com/markstos/CGI--Application/pull/15
[4] https://github.com/markstos/CGI--Application/commit/61d327646f01fe
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1067180


Thanks.

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE request for CGI::Application information disclosure flaw Vincent Danen (Feb 19)
- Re: CVE request for CGI::Application information disclosure flaw cve-assign (Feb 19)