CVE-2011-2766

The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast, uses environment variable values from one request during processing of a later request, which allows remote attackers to bypass authentication via crafted HTTP headers.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Fast_cgi	Fast_cgi_project	0.70 (including)	0.73 (including)
Libfcgi-perl	Ubuntu	maverick	*
Libfcgi-perl	Ubuntu	natty	*
Libfcgi-perl	Ubuntu	oneiric	*
Libfcgi-perl	Ubuntu	upstream	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607479
http://www.debian.org/security/2011/dsa-2327
http://www.mandriva.com/security/advisories?name=MDVSA-2012:001
http://www.openwall.com/lists/oss-security/2011/09/08/1
http://www.openwall.com/lists/oss-security/2011/09/08/2
http://www.securityfocus.com/bid/49549
https://bugzilla.redhat.com/show_bug.cgi?id=736604
https://exchange.xforce.ibmcloud.com/vulnerabilities/69709
https://hermes.opensuse.org/messages/13154637
https://hermes.opensuse.org/messages/13155253
https://rt.cpan.org/Public/Bug/Display.html?id=68380

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-2766
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References