CVE-2012-5526 | Vulnerability Database | Aqua Security

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.

Affected Software

Name	Vendor	Start Version	End Version
Cgi.pm	Andy_armstrong	*	3.62 (including)
Red Hat Enterprise Linux 5	RedHat	perl-4:5.8.8-40.el5_9	*
Red Hat Enterprise Linux 6	RedHat	perl-4:5.10.1-130.el6_4	*
Libcgi-pm-perl	Ubuntu	lucid	*
Libcgi-pm-perl	Ubuntu	oneiric	*
Libcgi-pm-perl	Ubuntu	precise	*
Libcgi-pm-perl	Ubuntu	quantal	*
Libcgi-pm-perl	Ubuntu	raring	*
Libcgi-pm-perl	Ubuntu	upstream	*
Perl	Ubuntu	hardy	*
Perl	Ubuntu	lucid	*
Perl	Ubuntu	oneiric	*
Perl	Ubuntu	precise	*
Perl	Ubuntu	quantal	*
Perl	Ubuntu	upstream	*

References

http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705
http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10735
http://rhn.redhat.com/errata/RHSA-2013-0685.html
http://secunia.com/advisories/51457
http://secunia.com/advisories/55314
http://www.debian.org/security/2012/dsa-2586
http://www.openwall.com/lists/oss-security/2012/11/15/6
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/56562
http://www.securitytracker.com/id?1027780
http://www.ubuntu.com/usn/USN-1643-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/80098
https://github.com/markstos/CGI.pm/pull/23

NVD	https://nvd.nist.gov/vuln/detail/CVE-2012-5526
CWE	https://cwe.mitre.org/data/definitions/16.html