Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2010-2253

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Published

2010-07-06T17:17:13.360

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gisle_aas	libwww-perl	0.01	Yes
Application	gisle_aas	libwww-perl	0.02	Yes
Application	gisle_aas	libwww-perl	0.03	Yes
Application	gisle_aas	libwww-perl	0.04	Yes
Application	gisle_aas	libwww-perl	5.00	Yes
Application	gisle_aas	libwww-perl	5.01	Yes
Application	gisle_aas	libwww-perl	5.02	Yes
Application	gisle_aas	libwww-perl	5.03	Yes
Application	gisle_aas	libwww-perl	5.04	Yes
Application	gisle_aas	libwww-perl	5.05	Yes
Application	gisle_aas	libwww-perl	5.06	Yes
Application	gisle_aas	libwww-perl	5.07	Yes
Application	gisle_aas	libwww-perl	5.08	Yes
Application	gisle_aas	libwww-perl	5.09	Yes
Application	gisle_aas	libwww-perl	5.10	Yes
Application	gisle_aas	libwww-perl	5.11	Yes
Application	gisle_aas	libwww-perl	5.12	Yes
Application	gisle_aas	libwww-perl	5.13	Yes
Application	gisle_aas	libwww-perl	5.14	Yes
Application	gisle_aas	libwww-perl	5.15	Yes
Application	gisle_aas	libwww-perl	5.16	Yes
Application	gisle_aas	libwww-perl	5.17	Yes
Application	gisle_aas	libwww-perl	5.18	Yes
Application	gisle_aas	libwww-perl	5.18_03	Yes
Application	gisle_aas	libwww-perl	5.18_04	Yes
Application	gisle_aas	libwww-perl	5.18_05	Yes
Application	gisle_aas	libwww-perl	5.19	Yes
Application	gisle_aas	libwww-perl	5.20	Yes
Application	gisle_aas	libwww-perl	5.21	Yes
Application	gisle_aas	libwww-perl	5.22	Yes
Application	gisle_aas	libwww-perl	5.30	Yes
Application	gisle_aas	libwww-perl	5.31	Yes
Application	gisle_aas	libwww-perl	5.32	Yes
Application	gisle_aas	libwww-perl	5.33	Yes
Application	gisle_aas	libwww-perl	5.34	Yes
Application	gisle_aas	libwww-perl	5.35	Yes
Application	gisle_aas	libwww-perl	5.36	Yes
Application	gisle_aas	libwww-perl	5.41	Yes
Application	gisle_aas	libwww-perl	5.42	Yes
Application	gisle_aas	libwww-perl	5.43	Yes
Application	gisle_aas	libwww-perl	5.44	Yes
Application	gisle_aas	libwww-perl	5.45	Yes
Application	gisle_aas	libwww-perl	5.46	Yes
Application	gisle_aas	libwww-perl	5.47	Yes
Application	gisle_aas	libwww-perl	5.48	Yes
Application	gisle_aas	libwww-perl	5.49	Yes
Application	gisle_aas	libwww-perl	5.50	Yes
Application	gisle_aas	libwww-perl	5.51	Yes
Application	gisle_aas	libwww-perl	5.52	Yes
Application	gisle_aas	libwww-perl	5.53	Yes
Application	gisle_aas	libwww-perl	5.53_90	Yes
Application	gisle_aas	libwww-perl	5.53_91	Yes
Application	gisle_aas	libwww-perl	5.53_92	Yes
Application	gisle_aas	libwww-perl	5.53_93	Yes
Application	gisle_aas	libwww-perl	5.53_94	Yes
Application	gisle_aas	libwww-perl	5.53_95	Yes
Application	gisle_aas	libwww-perl	5.53_96	Yes
Application	gisle_aas	libwww-perl	5.53_97	Yes
Application	gisle_aas	libwww-perl	5.60	Yes
Application	gisle_aas	libwww-perl	5.61	Yes
Application	gisle_aas	libwww-perl	5.62	Yes
Application	gisle_aas	libwww-perl	5.63	Yes
Application	gisle_aas	libwww-perl	5.64	Yes
Application	gisle_aas	libwww-perl	5.65	Yes
Application	gisle_aas	libwww-perl	5.66	Yes
Application	gisle_aas	libwww-perl	5.67	Yes
Application	gisle_aas	libwww-perl	5.68	Yes
Application	gisle_aas	libwww-perl	5.69	Yes
Application	gisle_aas	libwww-perl	5.70	Yes
Application	gisle_aas	libwww-perl	5.71	Yes
Application	gisle_aas	libwww-perl	5.72	Yes
Application	gisle_aas	libwww-perl	5.73	Yes
Application	gisle_aas	libwww-perl	5.74	Yes
Application	gisle_aas	libwww-perl	5.75	Yes
Application	gisle_aas	libwww-perl	5.76	Yes
Application	gisle_aas	libwww-perl	5.77	Yes
Application	gisle_aas	libwww-perl	5.78	Yes
Application	gisle_aas	libwww-perl	5.79	Yes
Application	gisle_aas	libwww-perl	5.800	Yes
Application	gisle_aas	libwww-perl	5.801	Yes
Application	gisle_aas	libwww-perl	5.802	Yes
Application	gisle_aas	libwww-perl	5.803	Yes
Application	gisle_aas	libwww-perl	5.804	Yes
Application	gisle_aas	libwww-perl	5.805	Yes
Application	gisle_aas	libwww-perl	5.806	Yes
Application	gisle_aas	libwww-perl	5.807	Yes
Application	gisle_aas	libwww-perl	5.808	Yes
Application	gisle_aas	libwww-perl	5.810	Yes
Application	gisle_aas	libwww-perl	5.811	Yes
Application	gisle_aas	libwww-perl	5.812	Yes
Application	gisle_aas	libwww-perl	5.813	Yes
Application	gisle_aas	libwww-perl	5.814	Yes
Application	gisle_aas	libwww-perl	5.815	Yes
Application	gisle_aas	libwww-perl	5.816	Yes
Application	gisle_aas	libwww-perl	5.817	Yes
Application	gisle_aas	libwww-perl	5.818	Yes
Application	gisle_aas	libwww-perl	5.819	Yes
Application	gisle_aas	libwww-perl	5.820	Yes
Application	gisle_aas	libwww-perl	5.821	Yes
Application	gisle_aas	libwww-perl	5.822	Yes
Application	gisle_aas	libwww-perl	5.823	Yes
Application	gisle_aas	libwww-perl	5.824	Yes
Application	gisle_aas	libwww-perl	5.825	Yes
Application	gisle_aas	libwww-perl	5.826	Yes
Application	gisle_aas	libwww-perl	5.827	Yes
Application	gisle_aas	libwww-perl	5.828	Yes
Application	gisle_aas	libwww-perl	5.829	Yes
Application	gisle_aas	libwww-perl	5.830	Yes
Application	gisle_aas	libwww-perl	5.831	Yes
Application	gisle_aas	libwww-perl	5.832	Yes
Application	gisle_aas	libwww-perl	5.833	Yes
Application	gisle_aas	libwww-perl	5b5	Yes
Application	gisle_aas	libwww-perl	5b6	Yes
Application	gisle_aas	libwww-perl	5b7	Yes
Application	gisle_aas	libwww-perl	5b8	Yes
Application	gisle_aas	libwww-perl	5b9	Yes
Application	gisle_aas	libwww-perl	5b10	Yes
Application	gisle_aas	libwww-perl	5b11	Yes
Application	gisle_aas	libwww-perl	5b12	Yes
Application	gisle_aas	libwww-perl	5b13	Yes
Application	search.cpan	libwww-perl	≤ 5.834	Yes
Application	search.cpan	libwww-perl	5.40_01	Yes

References

http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050232.html ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050245.html ([email protected])
http://marc.info/?l=oss-security&m=127411372529485&w=2 ([email protected])
http://marc.info/?l=oss-security&m=127611288927500&w=2 ([email protected])
http://www.ocert.org/advisories/ocert-2010-001.html ([email protected])
http://www.ubuntu.com/usn/USN-981-1 ([email protected])
http://www.vupen.com/english/advisories/2010/2872 ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=591580 ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=602800 ([email protected])
http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050232.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050245.html (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=oss-security&m=127411372529485&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=oss-security&m=127611288927500&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ocert.org/advisories/ocert-2010-001.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-981-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/2872 (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=591580 (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=602800 (af854a3a-2127-422b-91ae-364da2661108)