Home

CVE-2022-31081

Description

HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the HTTP::Daemon. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling my $rqst = $conn->get_request() one could inspect the returned HTTP::Request object. Querying the Content-Length (my $cl = $rqst->header(Content-Length)) will show any abnormalities that should be dealt with by a 400 response. Expected strings of Content-Length SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is 42 or 42, 42, 42). Anything else MUST be rejected.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.621

Associated Vulnerability

VulnerabilityOS Platform
simple http server class (USN-5520-1) libhttp-daemon-perl_6.01-1ubuntu0.1_all.debLinux
simple http server class (USN-5520-1) libhttp-daemon-perl_6.06-1ubuntu0.1_all.debLinux
simple http server class (USN-5520-1) libhttp-daemon-perl_6.13-1ubuntu0.1_all.debLinux
SUSE-SU-2022:2872-1(SUSE Linux Enterprise Server 12-SP5 ) perl-HTTP-Daemon-6.01-9.5.1.noarch.rpmLinux
perl-HTTP-Daemon Security Update (ALAS-2023-247) perl-HTTP-Daemon-6.16-1.amzn2023.noarch.rpmLinux
perl-HTTP-Daemon Security Update (ALAS-2023-247) perl-HTTP-Daemon-tests-6.16-1.amzn2023.noarch.rpmLinux
perl-HTTP-Daemon Security Update (ALAS-2024-2405) perl-HTTP-Daemon-6.01-8.amzn2.0.1.noarch.rpmLinux
perl-HTTP-Daemon Security Update (ALAS2-2024-2405) perl-HTTP-Daemon-6.01-8.amzn2.0.1.noarch.rpmLinux
perl-HTTP-Daemon Security Update (ALAS2023-2023-247) perl-HTTP-Daemon-6.16-1.amzn2023.noarch.rpmLinux
perl-HTTP-Daemon Security Update (ALAS2023-2023-247) perl-HTTP-Daemon-tests-6.16-1.amzn2023.noarch.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234