Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Plack::Middleware::Security::Common by RRWO

    CVE-2026-9658 (GCVE-0-2026-9658)

    Vulnerability from nvd – Published: 2026-05-28 11:36 – Updated: 2026-06-01 18:00
    VLAI
    Title
    Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths
    Summary
    Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-790 - Improper Filtering of Special Elements
    • CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers
    Assigner
    Impacted products
    Vendor Product Version
    RRWO Plack::Middleware::Security::Common Affected: 0 , < 0.13.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-28T22:33:29.133Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/28/9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9658",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T18:00:08.268723Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T18:00:18.515Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Plack-Middleware-Security-Simple",
              "product": "Plack::Middleware::Security::Common",
              "programFiles": [
                "lib/Plack/Middleware/Security/Common.pm"
              ],
              "programRoutines": [
                {
                  "name": "Plack::Middleware::Security::Common::header_injection"
                }
              ],
              "repo": "https://github.com/robrwo/Plack-Middleware-Security-Simple",
              "vendor": "RRWO",
              "versions": [
                {
                  "lessThan": "0.13.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n  GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-790",
                  "description": "CWE-790 Improper Filtering of Special Elements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-113",
                  "description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T11:36:50.565Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 0.13.1 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths",
          "workarounds": [
            {
              "lang": "en",
              "value": "Use with the the the non_printable_chars rule to block header injections."
            }
          ],
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-9658",
        "datePublished": "2026-05-28T11:36:50.565Z",
        "dateReserved": "2026-05-26T20:57:50.718Z",
        "dateUpdated": "2026-06-01T18:00:18.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9658 (GCVE-0-2026-9658)

    Vulnerability from cvelistv5 – Published: 2026-05-28 11:36 – Updated: 2026-06-01 18:00
    VLAI
    Title
    Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths
    Summary
    Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-790 - Improper Filtering of Special Elements
    • CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers
    Assigner
    Impacted products
    Vendor Product Version
    RRWO Plack::Middleware::Security::Common Affected: 0 , < 0.13.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-28T22:33:29.133Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/28/9"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9658",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T18:00:08.268723Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T18:00:18.515Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Plack-Middleware-Security-Simple",
              "product": "Plack::Middleware::Security::Common",
              "programFiles": [
                "lib/Plack/Middleware/Security/Common.pm"
              ],
              "programRoutines": [
                {
                  "name": "Plack::Middleware::Security::Common::header_injection"
                }
              ],
              "repo": "https://github.com/robrwo/Plack-Middleware-Security-Simple",
              "vendor": "RRWO",
              "versions": [
                {
                  "lessThan": "0.13.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n  GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-790",
                  "description": "CWE-790 Improper Filtering of Special Elements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-113",
                  "description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T11:36:50.565Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 0.13.1 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths",
          "workarounds": [
            {
              "lang": "en",
              "value": "Use with the the the non_printable_chars rule to block header injections."
            }
          ],
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-9658",
        "datePublished": "2026-05-28T11:36:50.565Z",
        "dateReserved": "2026-05-26T20:57:50.718Z",
        "dateUpdated": "2026-06-01T18:00:18.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }