CVE-2022-31081 for HTTP::Daemon

cpansa/CPANSA-HTTP-Daemon.yml

@@ -0,0 +1,33 @@
+---
+- affected_versions: '>0'
+  cves:
+    - CVE-2022-31081
+  description: >
+    HTTP::Daemon is a simple http server class written in perl.
+    Versions prior to 6.15 are subject to a vulnerability which could
+    potentially be exploited to gain privileged access to APIs or poison
+    intermediate caches. It is uncertain how large the risks are, most
+    Perl based applications are served on top of Nginx or Apache, not on
+    the `HTTP::Daemon`. This library is commonly used for local
+    development and tests. Users are advised to update to resolve this
+    issue. Users unable to upgrade may add additional request handling
+    logic as a mitigation. After calling `my $rqst = $conn->get_request()`
+    one could inspect the returned `HTTP::Request` object. Querying the
+    'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will
+    show any abnormalities that should be dealt with by a `400` response.
+    Expected strings of 'Content-Length' SHOULD consist of either a single
+    non-negative integer, or, a comma separated repetition of that number.
+    (that is `42` or `42, 42, 42`). Anything else MUST be rejected.
+  distribution: HTTP-Daemon
+  fixed_versions: ~
+  id: CPANSA-HTTP-Daemon-2022-31081
+  references:
+    - https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2
+    - https://github.com/libwww-perl/HTTP-Daemon/commit/8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0
+    - https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
+    - https://datatracker.ietf.org/doc/html/rfc7230#section-9.5
+    - https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf
+    - http://metacpan.org/release/HTTP-Daemon/
+    - https://cwe.mitre.org/data/definitions/444.html
+  reported: 2022-06-27
+  severity: medium