Arbitrary Code Execution Vulnerability in mod_perl by Apache
CVE-2011-2767

9.8CRITICAL

Key Information:

Vendor
Apache
Status
mod_perl 2.0 through 2.0.10
Vendor
CVE Published:
26 August 2018

Summary

The vulnerability in mod_perl affects versions 2.0 through 2.0.10, enabling attackers to execute arbitrary Perl code through user-owned .htaccess files. This occurs due to a lack of configuration options that would restrict Perl code execution, thus allowing unprivileged users the ability to run code in the context of the Apache HTTP Server processes. The oversight in the documentation signifies a significant security gap that could compromise server integrity and expose sensitive data.

Affected Version(s)

mod_perl 2.0 through 2.0.10 mod_perl 2.0 through 2.0.10

References

https://lists.debian.org/debian-lts-announce/2018/09/msg0...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/105195
vdb-entryx_refsource_BID
https://usn.ubuntu.com/3825-1/
vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.