CVE-2011-2767
high-risk
Published 2018-08-26
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Do I need to act?
~
3.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (17)
References (24)
Third Party Advisory
http://www.securityfocus.com/bid/105195
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2737
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2825
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2826
Issue Tracking
https://bugs.debian.org/644169
Third Party Advisory
https://usn.ubuntu.com/3825-1/
Third Party Advisory
https://usn.ubuntu.com/3825-2/
Third Party Advisory
http://www.securityfocus.com/bid/105195
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2737
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2825
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2826
Issue Tracking
https://bugs.debian.org/644169
and 4 more references
58
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
7/34 · Low
Exposure
19/34 · Moderate