Strix
26.1K

CVE-2010-2253

UnknownEPSS 3.29%

Last modified

CVE-2010-2253 is a vulnerability of currently unknown severity. lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.. EPSS estimates a 3.29% chance of exploitation in the next 30 days.

Description

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Metrics

EPSS Probability
3.29%

86.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Gisle AasLibwww-Perl0.01
Gisle AasLibwww-Perl0.02
Gisle AasLibwww-Perl0.03
Gisle AasLibwww-Perl0.04
Gisle AasLibwww-Perl5.00
Gisle AasLibwww-Perl5.01
Gisle AasLibwww-Perl5.02
Gisle AasLibwww-Perl5.03
Gisle AasLibwww-Perl5.04
Gisle AasLibwww-Perl5.05
Gisle AasLibwww-Perl5.06
Gisle AasLibwww-Perl5.07
Gisle AasLibwww-Perl5.08
Gisle AasLibwww-Perl5.09
Gisle AasLibwww-Perl5.10
Gisle AasLibwww-Perl5.11
Gisle AasLibwww-Perl5.12
Gisle AasLibwww-Perl5.13
Gisle AasLibwww-Perl5.14
Gisle AasLibwww-Perl5.15
Gisle AasLibwww-Perl5.16
Gisle AasLibwww-Perl5.17
Gisle AasLibwww-Perl5.18
Gisle AasLibwww-Perl5.18_03
Gisle AasLibwww-Perl5.18_04
Gisle AasLibwww-Perl5.18_05
Gisle AasLibwww-Perl5.19
Gisle AasLibwww-Perl5.20
Gisle AasLibwww-Perl5.21
Gisle AasLibwww-Perl5.22
Gisle AasLibwww-Perl5.30
Gisle AasLibwww-Perl5.31
Gisle AasLibwww-Perl5.32
Gisle AasLibwww-Perl5.33
Gisle AasLibwww-Perl5.34
Gisle AasLibwww-Perl5.35
Gisle AasLibwww-Perl5.36
Gisle AasLibwww-Perl5.41
Gisle AasLibwww-Perl5.42
Gisle AasLibwww-Perl5.43
Gisle AasLibwww-Perl5.44
Gisle AasLibwww-Perl5.45
Gisle AasLibwww-Perl5.46
Gisle AasLibwww-Perl5.47
Gisle AasLibwww-Perl5.48
Gisle AasLibwww-Perl5.49
Gisle AasLibwww-Perl5.50
Gisle AasLibwww-Perl5.51
Gisle AasLibwww-Perl5.52
Gisle AasLibwww-Perl5.53

Showing 50 of 122 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2010-2253?
lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
How severe is CVE-2010-2253?
Severity scoring for CVE-2010-2253 is pending analysis. The EPSS model estimates a 3.29% probability of exploitation in the next 30 days.
How do I fix CVE-2010-2253?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2010-2253?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST