Input validation error in perl-http-body (Alpine package)

1) Input validation error

EUVDB-ID: #VU33758

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-4407

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module for Perl uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.

Mitigation

Install update from vendor's website.

Vulnerable software versions

perl-http-body (Alpine package): 1.12-r0 - 1.17-r0

CPE2.3

• cpe:2.3:a:alpine:perl-http-body_alpine_package:1.12-r0:*:*:*:*:alpine_linux:*:2.3
• cpe:2.3:a:alpine:perl-http-body_alpine_package:1.15-r0:*:*:*:*:alpine_linux:*:2.5
• cpe:2.3:a:alpine:perl-http-body_alpine_package:1.17-r0:*:*:*:*:alpine_linux:*:3.9

External links

https://git.alpinelinux.org/aports/commit/?id=7454a74b607d2ea338d1742b0ae51257b74fafe9
https://git.alpinelinux.org/aports/commit/?id=6041642bea0d97919a65d2e7e2d8211a0cf744f5
https://git.alpinelinux.org/aports/commit/?id=e189fcc8c61dfd0aab7d42d528003e88bb0c3c7f
https://git.alpinelinux.org/aports/commit/?id=be38e44a7d8e243722c40679605fbb40a489d675
https://git.alpinelinux.org/aports/commit/?id=fc63abb7cf648e265ac8976e6ff92197a6599348
https://git.alpinelinux.org/aports/commit/?id=213ebd008f5f44ea962bebeb139ec959c8c5ce4d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.