CVE-2013-4407
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
23/11/2013
Last modified:
11/04/2025
Description
HTTP::Body::Multipart in the HTTP-Body module for Perl (1.07 through 1.22, before 1.23) uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.
Impact
Base Score 2.0
6.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:http-body_project:http-body:*:*:*:*:*:*:*:* | 1.17 (including) | |
| cpe:2.3:a:http-body_project:http-body:0.01:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.03:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:0.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:1.00:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:1.01:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:1.02:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:1.03:*:*:*:*:*:*:* | ||
| cpe:2.3:a:http-body_project:http-body:1.04:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
- http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba%3Dcommit%3Bh%3D13ac5b23c083bc56e32dd706ca02fca292bd2161
- http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba%3Dcommit%3Bh%3Dcc75c886256f187cda388641931e8dafad6c2346
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00018.html
- http://www.debian.org/security/2013/dsa-2801
- http://www.openwall.com/lists/oss-security/2024/04/07/1
- https://metacpan.org/release/GETTY/HTTP-Body-1.23/
- https://www.openwall.com/lists/oss-security/2024/04/07/1
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
- http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba%3Dcommit%3Bh%3D13ac5b23c083bc56e32dd706ca02fca292bd2161
- http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits/HTTP-Body.git%3Ba%3Dcommit%3Bh%3Dcc75c886256f187cda388641931e8dafad6c2346
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00018.html
- http://www.debian.org/security/2013/dsa-2801
- http://www.openwall.com/lists/oss-security/2024/04/07/1
- https://metacpan.org/release/GETTY/HTTP-Body-1.23/
- https://www.openwall.com/lists/oss-security/2024/04/07/1