{
  "threat_severity" : "Important",
  "public_date" : "2011-10-03T00:00:00Z",
  "bugzilla" : {
    "description" : "mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess",
    "id" : "1623265",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1623265"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-266",
  "details" : [ "mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes." ],
  "statement" : "The default configurations shipped in Red Hat Enterprise Linux 6 and Red Hat Software Collections are not vulnerable to to this flaw.  The UserDir option needs to be enabled as well as AllowOverride being set to values other than \"None\" for this to potentially pose a threat.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2018-09-24T00:00:00Z",
    "advisory" : "RHSA-2018:2737",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "mod_perl-0:2.0.4-12.el6_10"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2826",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-perl524-mod_perl-0:2.0.9-10.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2826",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-perl524-mod_perl-0:2.0.9-10.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2825",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl526-mod_perl-0:2.0.10-10.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2826",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl524-mod_perl-0:2.0.9-10.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2825",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl526-mod_perl-0:2.0.10-10.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2826",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl524-mod_perl-0:2.0.9-10.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2825",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl526-mod_perl-0:2.0.10-10.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2826",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl524-mod_perl-0:2.0.9-10.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2825",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl526-mod_perl-0:2.0.10-10.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-09-27T00:00:00Z",
    "advisory" : "RHSA-2018:2826",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-perl524-mod_perl-0:2.0.9-10.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "mod_perl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "mod_perl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2011-2767\nhttps://nvd.nist.gov/vuln/detail/CVE-2011-2767" ],
  "name" : "CVE-2011-2767",
  "mitigation" : {
    "value" : "Disabling the UserDir directive and also setting AllowOverride None should prevent the processing of perl in user .htaccess files.",
    "lang" : "en:us"
  },
  "csaw" : false
}