CVE-2011-2767
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2011-2767 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
The default configurations shipped in Red Hat Enterprise Linux 6 and Red Hat Software Collections are not vulnerable to to this flaw. The UserDir option needs to be enabled as well as AllowOverride being set to values other than "None" for this to potentially pose a threat.
CVSS v3 metrics
| CVSS3 Base Score | 6.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-perl526-mod_perl) | RHSA-2018:2825 | 2018-09-27 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-perl524-mod_perl) | RHSA-2018:2826 | 2018-09-27 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-perl524-mod_perl) | RHSA-2018:2826 | 2018-09-27 |
| Red Hat Enterprise Linux 6 (mod_perl) | RHSA-2018:2737 | 2018-09-24 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 5 | mod_perl | Will not fix |
Mitigation
Disabling the UserDir directive and also setting AllowOverride None should prevent the processing of perl in user .htaccess files.
CVE description copyright © 2017, The MITRE Corporation
