Unrated severityNVD Advisory· Published Dec 6, 2010· Updated Apr 29, 2026

CVE-2010-2761

Description

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.

Affected products

174

Andy Armstrong/Cgi.pm154 versions
cpe:2.3:a:andy_armstrong:cgi.pm:*:*:*:*:*:*:*:*+ 153 more
- cpe:2.3:a:andy_armstrong:cgi.pm:*:*:*:*:*:*:*:*range: <=3.49
- cpe:2.3:a:andy_armstrong:cgi.pm:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.42:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.43:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.44:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.45:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.50:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.51:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.52:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.53:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.54:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.55:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.56:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:1.57:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.01:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.13:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.14:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.15:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.16:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.17:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.18:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.19:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.20:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.21:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.22:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.23:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.24:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.25:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.26:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.27:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.28:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.29:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.30:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.31:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.32:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.33:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.34:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.35:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.36:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.37:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.38:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.39:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.40:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.41:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.42:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.43:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.44:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.45:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.46:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.47:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.48:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.49:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.50:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.51:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.52:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.53:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.54:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.55:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.56:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.57:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.58:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.59:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.60:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.61:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.62:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.63:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.64:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.65:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.66:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.67:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.68:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.69:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.70:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.71:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.72:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.73:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.74:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.75:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.751:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.752:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.76:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.77:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.78:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.79:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.80:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.81:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.82:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.83:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.84:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.85:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.86:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.87:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.88:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.89:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.90:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.91:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.92:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.93:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.94:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.95:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.96:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.97:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.98:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:2.99:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.00:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.01:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.02:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.03:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.04:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.05:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.06:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.07:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.08:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.09:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.10:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.12:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.13:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.14:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.15:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.16:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.17:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.18:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.19:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.20:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.21:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.22:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.23:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.24:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.25:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.26:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.27:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.28:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.29:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.30:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.31:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.32:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.33:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.34:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.35:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.36:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.37:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.38:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.39:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.40:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.41:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.42:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.43:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.44:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.45:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.46:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.47:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi.pm:3.48:*:*:*:*:*:*:*
Andy Armstrong/Cgi Simple20 versions
cpe:2.3:a:andy_armstrong:cgi-simple:*:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:andy_armstrong:cgi-simple:*:*:*:*:*:*:*:*range: <=1.112
- cpe:2.3:a:andy_armstrong:cgi-simple:0.078:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:0.079:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:0.080:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:0.081:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:0.082:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:0.83:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.103:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.104:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.105:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.106:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.107:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.108:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.109:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.110:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.111:*:*:*:*:*:*:*
- cpe:2.3:a:andy_armstrong:cgi-simple:1.1.2:*:*:*:*:*:*:*

Patches

e4942b871a26

Randomise multipart boundary. Thanks to Yamada Masahiro.

https://github.com/AndyA/CGI--SimpleAndy ArmstrongNov 13, 2010via nvd-ref

commit

3 files changed · +15 −5

lib/CGI/Simple.pm+8 −1 modified

@@ -1125,7 +1125,14 @@ sub multipart_init {
   my ( $self, @p ) = @_;
   use CGI::Simple::Util qw(rearrange);
   my ( $boundary, @other ) = rearrange( ['BOUNDARY'], @p );
-  $boundary = $boundary || '------- =_aaaaaaaaaa0';
+  if ( !$boundary ) {
+    $boundary = '------- =_';
+    my @chrs = ( '0' .. '9', 'A' .. 'Z', 'a' .. 'z' );
+    for ( 1 .. 17 ) {
+      $boundary .= $chrs[ rand( scalar @chrs ) ];
+    }
+  }
+
   my $CRLF = $self->crlf;    # get CRLF sequence
   my $warning
    = "WARNING: YOUR BROWSER DOESN'T SUPPORT THIS SERVER-PUSH TECHNOLOGY.";

t/050.simple.t+3 −2 modified

@@ -945,10 +945,11 @@ $q = new CGI::Simple;
 $sv = $q->multipart_init();
 like(
   $sv,
-  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
+  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
   'multipart_init(), 1'
 );
-like( $sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2' );
+like( $sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
+  'multipart_init(), 2' );
 $sv = $q->multipart_init( 'this_is_the_boundary' );
 like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3' );
 $sv = $q->multipart_init( -boundary => 'this_is_another_boundary' );

t/070.standard.t+4 −2 modified

@@ -953,10 +953,12 @@ restore_parameters();
 $sv = multipart_init();
 like(
   $sv,
-  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
+  qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
   'multipart_init(), 1'
 );
-like( $sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2' );
+
+like( $sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
+  'multipart_init(), 2' );
 $sv = multipart_init( 'this_is_the_boundary' );
 like( $sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3' );
 $sv = multipart_init( -boundary => 'this_is_another_boundary' );

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000