CVE-2011-2766

Fast Cgi < 0.73 - Authentication Bypass

Title source: rule

Description

The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast, uses environment variable values from one request during processing of a later request, which allows remote attackers to bypass authentication via crafted HTTP headers.

References (11)

[Exploit, Issue Tracking, Mailing List, Third Party Advisory] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607479

[Third Party Advisory] http://www.debian.org/security/2011/dsa-2327

[Third Party Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2012:001

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2011/09/08/1

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2011/09/08/2

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/49549

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=736604

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/69709

[Broken Link] https://hermes.opensuse.org/messages/13154637

[Broken Link] https://hermes.opensuse.org/messages/13155253

[Exploit, Patch, Third Party Advisory] https://rt.cpan.org/Public/Bug/Display.html?id=68380

Scores

EPSS 0.0026

EPSS Percentile 49.2%

Classification

CWE

CWE-287

Status draft

Affected Products (4)

fast_cgi_project/fast_cgi < 0.73

debian/debian_linux

Timeline

Published Sep 23, 2011

Tracked Since Feb 18, 2026