CVE-2010-4410 [Medium] | Code Injection in Cgi.pm

CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-25	1.19%	0.84%	-0.35%
2	2025-03-30	1.66%	1.19%	-0.47%
3	2025-03-29	—	1.66%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-25

1.19%

0.84%

-0.35%

2025-03-30

1.66%

1.19%

-0.47%

2025-03-29

—

1.66%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

8.6

2.9

[email protected]

OS Trackers for CVE-2010-4410

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2010-4410 not yet assigned priority: Debian including 3 source packages (libcgi-pm-perl, libcgi-simple-perl, perl), 15 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 15.	https://security-tracker.debian.org/tracker/CVE-2010-4410
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2010-4410
`suse`	medium	CVE-2010-4410 severity moderate: SUSE including 60 source package names (perl-32bit-5.10.0-64.55.1, perl-32bit-5.10.0-64.67.52, …), 99 product×package rows across 27 product lines (SUSE Linux Enterprise Desktop 12, SUSE Linux Enterprise Desktop 12 SP1, … (27 product lines)): Fixed 99.	https://www.suse.com/security/cve/CVE-2010-4410/
`ubuntu`	medium	CVE-2010-4410 medium priority: Ubuntu including 3 source packages (libcgi-pm-perl, libcgi-simple-perl, perl), 36 status rows across 12 suites (dapper, hardy, karmic, lucid, maverick, natty, oneiric, precise, quantal, raring, saucy, upstream): not-affected 18, ignored 9, released 7, DNE 2.	https://ubuntu.com/security/CVE-2010-4410

Affected software / configurations for CVE-2010-4410

Vendor	Product	Version	Raw CPE
andy_armstrong	cgi.pm	<= 3.49	cpe:2.3:a:andy_armstrong:cgi.pm::::::::
andy_armstrong	cgi.pm	1.4	cpe:2.3:a:andy_armstrong:cgi.pm:1.4:::::::*
andy_armstrong	cgi.pm	1.42	cpe:2.3:a:andy_armstrong:cgi.pm:1.42:::::::*
andy_armstrong	cgi.pm	1.43	cpe:2.3:a:andy_armstrong:cgi.pm:1.43:::::::*
andy_armstrong	cgi.pm	1.44	cpe:2.3:a:andy_armstrong:cgi.pm:1.44:::::::*
andy_armstrong	cgi.pm	1.45	cpe:2.3:a:andy_armstrong:cgi.pm:1.45:::::::*
andy_armstrong	cgi.pm	1.50	cpe:2.3:a:andy_armstrong:cgi.pm:1.50:::::::*
andy_armstrong	cgi.pm	1.51	cpe:2.3:a:andy_armstrong:cgi.pm:1.51:::::::*
andy_armstrong	cgi.pm	1.52	cpe:2.3:a:andy_armstrong:cgi.pm:1.52:::::::*
andy_armstrong	cgi.pm	1.53	cpe:2.3:a:andy_armstrong:cgi.pm:1.53:::::::*
andy_armstrong	cgi.pm	1.54	cpe:2.3:a:andy_armstrong:cgi.pm:1.54:::::::*
andy_armstrong	cgi.pm	1.55	cpe:2.3:a:andy_armstrong:cgi.pm:1.55:::::::*
andy_armstrong	cgi.pm	1.56	cpe:2.3:a:andy_armstrong:cgi.pm:1.56:::::::*
andy_armstrong	cgi.pm	1.57	cpe:2.3:a:andy_armstrong:cgi.pm:1.57:::::::*
andy_armstrong	cgi.pm	2.0	cpe:2.3:a:andy_armstrong:cgi.pm:2.0:::::::*
andy_armstrong	cgi.pm	2.01	cpe:2.3:a:andy_armstrong:cgi.pm:2.01:::::::*
andy_armstrong	cgi.pm	2.13	cpe:2.3:a:andy_armstrong:cgi.pm:2.13:::::::*
andy_armstrong	cgi.pm	2.14	cpe:2.3:a:andy_armstrong:cgi.pm:2.14:::::::*
andy_armstrong	cgi.pm	2.15	cpe:2.3:a:andy_armstrong:cgi.pm:2.15:::::::*
andy_armstrong	cgi.pm	2.16	cpe:2.3:a:andy_armstrong:cgi.pm:2.16:::::::*
andy_armstrong	cgi.pm	2.17	cpe:2.3:a:andy_armstrong:cgi.pm:2.17:::::::*
andy_armstrong	cgi.pm	2.18	cpe:2.3:a:andy_armstrong:cgi.pm:2.18:::::::*
andy_armstrong	cgi.pm	2.19	cpe:2.3:a:andy_armstrong:cgi.pm:2.19:::::::*
andy_armstrong	cgi.pm	2.20	cpe:2.3:a:andy_armstrong:cgi.pm:2.20:::::::*
andy_armstrong	cgi.pm	2.21	cpe:2.3:a:andy_armstrong:cgi.pm:2.21:::::::*
andy_armstrong	cgi.pm	2.22	cpe:2.3:a:andy_armstrong:cgi.pm:2.22:::::::*
andy_armstrong	cgi.pm	2.23	cpe:2.3:a:andy_armstrong:cgi.pm:2.23:::::::*
andy_armstrong	cgi.pm	2.24	cpe:2.3:a:andy_armstrong:cgi.pm:2.24:::::::*
andy_armstrong	cgi.pm	2.25	cpe:2.3:a:andy_armstrong:cgi.pm:2.25:::::::*
andy_armstrong	cgi.pm	2.26	cpe:2.3:a:andy_armstrong:cgi.pm:2.26:::::::*
andy_armstrong	cgi.pm	2.27	cpe:2.3:a:andy_armstrong:cgi.pm:2.27:::::::*
andy_armstrong	cgi.pm	2.28	cpe:2.3:a:andy_armstrong:cgi.pm:2.28:::::::*
andy_armstrong	cgi.pm	2.29	cpe:2.3:a:andy_armstrong:cgi.pm:2.29:::::::*
andy_armstrong	cgi.pm	2.30	cpe:2.3:a:andy_armstrong:cgi.pm:2.30:::::::*
andy_armstrong	cgi.pm	2.31	cpe:2.3:a:andy_armstrong:cgi.pm:2.31:::::::*
andy_armstrong	cgi.pm	2.32	cpe:2.3:a:andy_armstrong:cgi.pm:2.32:::::::*
andy_armstrong	cgi.pm	2.33	cpe:2.3:a:andy_armstrong:cgi.pm:2.33:::::::*
andy_armstrong	cgi.pm	2.34	cpe:2.3:a:andy_armstrong:cgi.pm:2.34:::::::*
andy_armstrong	cgi.pm	2.35	cpe:2.3:a:andy_armstrong:cgi.pm:2.35:::::::*
andy_armstrong	cgi.pm	2.36	cpe:2.3:a:andy_armstrong:cgi.pm:2.36:::::::*
andy_armstrong	cgi.pm	2.37	cpe:2.3:a:andy_armstrong:cgi.pm:2.37:::::::*
andy_armstrong	cgi.pm	2.38	cpe:2.3:a:andy_armstrong:cgi.pm:2.38:::::::*
andy_armstrong	cgi.pm	2.39	cpe:2.3:a:andy_armstrong:cgi.pm:2.39:::::::*
andy_armstrong	cgi.pm	2.40	cpe:2.3:a:andy_armstrong:cgi.pm:2.40:::::::*
andy_armstrong	cgi.pm	2.41	cpe:2.3:a:andy_armstrong:cgi.pm:2.41:::::::*
andy_armstrong	cgi.pm	2.42	cpe:2.3:a:andy_armstrong:cgi.pm:2.42:::::::*
andy_armstrong	cgi.pm	2.43	cpe:2.3:a:andy_armstrong:cgi.pm:2.43:::::::*
andy_armstrong	cgi.pm	2.44	cpe:2.3:a:andy_armstrong:cgi.pm:2.44:::::::*
andy_armstrong	cgi.pm	2.45	cpe:2.3:a:andy_armstrong:cgi.pm:2.45:::::::*
andy_armstrong	cgi.pm	2.46	cpe:2.3:a:andy_armstrong:cgi.pm:2.46:::::::*
andy_armstrong	cgi.pm	2.47	cpe:2.3:a:andy_armstrong:cgi.pm:2.47:::::::*
andy_armstrong	cgi.pm	2.48	cpe:2.3:a:andy_armstrong:cgi.pm:2.48:::::::*
andy_armstrong	cgi.pm	2.49	cpe:2.3:a:andy_armstrong:cgi.pm:2.49:::::::*
andy_armstrong	cgi.pm	2.50	cpe:2.3:a:andy_armstrong:cgi.pm:2.50:::::::*
andy_armstrong	cgi.pm	2.51	cpe:2.3:a:andy_armstrong:cgi.pm:2.51:::::::*
andy_armstrong	cgi.pm	2.52	cpe:2.3:a:andy_armstrong:cgi.pm:2.52:::::::*
andy_armstrong	cgi.pm	2.53	cpe:2.3:a:andy_armstrong:cgi.pm:2.53:::::::*
andy_armstrong	cgi.pm	2.54	cpe:2.3:a:andy_armstrong:cgi.pm:2.54:::::::*
andy_armstrong	cgi.pm	2.55	cpe:2.3:a:andy_armstrong:cgi.pm:2.55:::::::*
andy_armstrong	cgi.pm	2.56	cpe:2.3:a:andy_armstrong:cgi.pm:2.56:::::::*
andy_armstrong	cgi.pm	2.57	cpe:2.3:a:andy_armstrong:cgi.pm:2.57:::::::*
andy_armstrong	cgi.pm	2.58	cpe:2.3:a:andy_armstrong:cgi.pm:2.58:::::::*
andy_armstrong	cgi.pm	2.59	cpe:2.3:a:andy_armstrong:cgi.pm:2.59:::::::*
andy_armstrong	cgi.pm	2.60	cpe:2.3:a:andy_armstrong:cgi.pm:2.60:::::::*
andy_armstrong	cgi.pm	2.61	cpe:2.3:a:andy_armstrong:cgi.pm:2.61:::::::*
andy_armstrong	cgi.pm	2.62	cpe:2.3:a:andy_armstrong:cgi.pm:2.62:::::::*
andy_armstrong	cgi.pm	2.63	cpe:2.3:a:andy_armstrong:cgi.pm:2.63:::::::*
andy_armstrong	cgi.pm	2.64	cpe:2.3:a:andy_armstrong:cgi.pm:2.64:::::::*
andy_armstrong	cgi.pm	2.65	cpe:2.3:a:andy_armstrong:cgi.pm:2.65:::::::*
andy_armstrong	cgi.pm	2.66	cpe:2.3:a:andy_armstrong:cgi.pm:2.66:::::::*
andy_armstrong	cgi.pm	2.67	cpe:2.3:a:andy_armstrong:cgi.pm:2.67:::::::*
andy_armstrong	cgi.pm	2.68	cpe:2.3:a:andy_armstrong:cgi.pm:2.68:::::::*
andy_armstrong	cgi.pm	2.69	cpe:2.3:a:andy_armstrong:cgi.pm:2.69:::::::*
andy_armstrong	cgi.pm	2.70	cpe:2.3:a:andy_armstrong:cgi.pm:2.70:::::::*
andy_armstrong	cgi.pm	2.71	cpe:2.3:a:andy_armstrong:cgi.pm:2.71:::::::*
andy_armstrong	cgi.pm	2.72	cpe:2.3:a:andy_armstrong:cgi.pm:2.72:::::::*
andy_armstrong	cgi.pm	2.73	cpe:2.3:a:andy_armstrong:cgi.pm:2.73:::::::*
andy_armstrong	cgi.pm	2.74	cpe:2.3:a:andy_armstrong:cgi.pm:2.74:::::::*
andy_armstrong	cgi.pm	2.75	cpe:2.3:a:andy_armstrong:cgi.pm:2.75:::::::*
andy_armstrong	cgi.pm	2.76	cpe:2.3:a:andy_armstrong:cgi.pm:2.76:::::::*

References for CVE-2010-4410

URL	Tags
http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
http://openwall.com/lists/oss-security/2010/12/01/1	Patch
http://openwall.com/lists/oss-security/2010/12/01/2	Patch
http://openwall.com/lists/oss-security/2010/12/01/3	Patch
http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm	Patch
http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1	Patch
http://secunia.com/advisories/43068
http://secunia.com/advisories/43147
http://www.mandriva.com/security/advisories?name=MDVSA-2010:237
http://www.mandriva.com/security/advisories?name=MDVSA-2010:252
http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html	Patch
http://www.redhat.com/support/errata/RHSA-2011-1797.html
http://www.securityfocus.com/bid/44199
http://www.securityfocus.com/bid/45145
http://www.vupen.com/english/advisories/2010/3230
http://www.vupen.com/english/advisories/2011/0212
http://www.vupen.com/english/advisories/2011/0249
https://bugzilla.redhat.com/show_bug.cgi?id=658970

URL

CVE-2010-4410

Exploit prediction scoring system (EPSS) score for CVE-2010-4410

Common vulnerability scoring system (CVSS) metrics for CVE-2010-4410

Weakness enumeration for CVE-2010-4410

OS Trackers for CVE-2010-4410

Affected software / configurations for CVE-2010-4410

References for CVE-2010-4410