CVE-2013-4407

描述

HTTP::Body::Multipart in the HTTP-Body module for Perl (1.07 through 1.22, before 1.23) uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed.

如何修補 CVE-2013-4407

要修補 CVE-2013-4407,請將受影響套件升級到下列已修補版本。

• Alpine/perl-http-body—升級至 1.22-r2 或更新版本
• Debian/libhttp-body-perl—升級至 1.17-2 或更新版本
• —升級至 1.11-1+deb7u1 或更新版本

CVE-2013-4407 正在被利用嗎?

低 — EPSS 為 0.8%,目前沒有觀察到大規模利用活動。

受影響套件(3)

• from 0, < 1.22-r2
• from 0, < 1.17-2
• from 0, < 1.11-1+deb7u1

參考連結(2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2013-4407
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4407