CVE-2012-5526 | Vulnerability Database | Aqua Security

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.

Affected Software

Name	Vendor	Start Version	End Version
Cgi.pm	Andy_armstrong	*	3.62 (including)

References

http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705
http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10735
http://rhn.redhat.com/errata/RHSA-2013-0685.html
http://secunia.com/advisories/51457
http://secunia.com/advisories/55314
http://www.debian.org/security/2012/dsa-2586
http://www.openwall.com/lists/oss-security/2012/11/15/6
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/56562
http://www.securitytracker.com/id?1027780
http://www.ubuntu.com/usn/USN-1643-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/80098
https://github.com/markstos/CGI.pm/pull/23

NVD	https://nvd.nist.gov/vuln/detail/CVE-2012-5526
CWE	https://cwe.mitre.org/data/definitions/16.html