UBUNTU-CVE-2026-7017

Source
https://ubuntu.com/security/CVE-2026-7017
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-7017
Upstream
Published
2026-07-07T19:16:00Z
Modified
2026-07-09T17:15:52.841661406Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, _maybe_redirect follows the Location: header and _prepare_headers_and_cb re-merges the caller's headers argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied Authorization, Cookie and Proxy-Authorization headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including https to http downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

References

Affected packages

Ubuntu:16.04:LTS
libhttp-tiny-perl

Package

Name
libhttp-tiny-perl
Purl
pkg:deb/ubuntu/libhttp-tiny-perl?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.056-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libhttp-tiny-perl",
            "binary_version": "0.056-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:18.04:LTS
libhttp-tiny-perl

Package

Name
libhttp-tiny-perl
Purl
pkg:deb/ubuntu/libhttp-tiny-perl?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.070-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libhttp-tiny-perl",
            "binary_version": "0.070-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:20.04:LTS
libhttp-tiny-perl

Package

Name
libhttp-tiny-perl
Purl
pkg:deb/ubuntu/libhttp-tiny-perl?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.076-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libhttp-tiny-perl",
            "binary_version": "0.076-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:22.04:LTS
libhttp-tiny-perl

Package

Name
libhttp-tiny-perl
Purl
pkg:deb/ubuntu/libhttp-tiny-perl?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.076-1
0.080-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libhttp-tiny-perl",
            "binary_version": "0.080-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.32.1-3ubuntu3
5.34.0-3ubuntu1
5.34.0-3ubuntu1.1
5.34.0-3ubuntu1.2
5.34.0-3ubuntu1.3
5.34.0-3ubuntu1.4
5.34.0-3ubuntu1.5
5.34.0-3ubuntu1.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libperl5.34",
            "binary_version": "5.34.0-3ubuntu1.7"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.34.0-3ubuntu1.7"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.34.0-3ubuntu1.7"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.34.0-3ubuntu1.7"
        },
        {
            "binary_name": "perl-modules-5.34",
            "binary_version": "5.34.0-3ubuntu1.7"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:24.04:LTS
libhttp-tiny-perl

Package

Name
libhttp-tiny-perl
Purl
pkg:deb/ubuntu/libhttp-tiny-perl?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.082-2
0.088-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libhttp-tiny-perl",
            "binary_version": "0.088-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.36.0-9ubuntu1
5.36.0-10ubuntu1
5.38.2-3
5.38.2-3.2
5.38.2-3.2build1
5.38.2-3.2build2
5.38.2-3.2build2.1
5.38.2-3.2ubuntu0.1
5.38.2-3.2ubuntu0.2
5.38.2-3.2ubuntu0.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libperl5.38t64",
            "binary_version": "5.38.2-3.2ubuntu0.3"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.38.2-3.2ubuntu0.3"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.38.2-3.2ubuntu0.3"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.38.2-3.2ubuntu0.3"
        },
        {
            "binary_name": "perl-modules-5.38",
            "binary_version": "5.38.2-3.2ubuntu0.3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:25.10
libhttp-tiny-perl

Package

Name
libhttp-tiny-perl
Purl
pkg:deb/ubuntu/libhttp-tiny-perl?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.090-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libhttp-tiny-perl",
            "binary_version": "0.090-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.40.1-2
5.40.1-3
5.40.1-5
5.40.1-6
5.40.1-6build1
5.40.1-6ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libperl5.40",
            "binary_version": "5.40.1-6ubuntu0.1"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.40.1-6ubuntu0.1"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.40.1-6ubuntu0.1"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.40.1-6ubuntu0.1"
        },
        {
            "binary_name": "perl-modules-5.40",
            "binary_version": "5.40.1-6ubuntu0.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:26.04:LTS
libhttp-tiny-perl

Package

Name
libhttp-tiny-perl
Purl
pkg:deb/ubuntu/libhttp-tiny-perl?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.090-1
0.092-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libhttp-tiny-perl",
            "binary_version": "0.092-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.40.1-6build1
5.40.1-7build1
5.40.1-7ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libperl5.40",
            "binary_version": "5.40.1-7ubuntu0.1"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.40.1-7ubuntu0.1"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.40.1-7ubuntu0.1"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.40.1-7ubuntu0.1"
        },
        {
            "binary_name": "perl-modules-5.40",
            "binary_version": "5.40.1-7ubuntu0.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:Pro:14.04:LTS
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.14.2-21build1
5.18.1-4
5.18.1-4build1
5.18.1-5
5.18.2-2
5.18.2-2ubuntu1
5.18.2-2ubuntu1.1
5.18.2-2ubuntu1.3
5.18.2-2ubuntu1.4
5.18.2-2ubuntu1.6
5.18.2-2ubuntu1.7
5.18.2-2ubuntu1.7+esm3
5.18.2-2ubuntu1.7+esm4
5.18.2-2ubuntu1.7+esm5
5.18.2-2ubuntu1.7+esm7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libcgi-fast-perl",
            "binary_version": "5.18.2-2ubuntu1.7+esm7"
        },
        {
            "binary_name": "libperl5.18",
            "binary_version": "5.18.2-2ubuntu1.7+esm7"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.18.2-2ubuntu1.7+esm7"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.18.2-2ubuntu1.7+esm7"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.18.2-2ubuntu1.7+esm7"
        },
        {
            "binary_name": "perl-modules",
            "binary_version": "5.18.2-2ubuntu1.7+esm7"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:Pro:16.04:LTS
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=esm-infra-legacy%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.20.2-6
5.22.1-3
5.22.1-4
5.22.1-5
5.22.1-7
5.22.1-8
5.22.1-9
5.22.1-9ubuntu0.2
5.22.1-9ubuntu0.3
5.22.1-9ubuntu0.5
5.22.1-9ubuntu0.6
5.22.1-9ubuntu0.9
5.22.1-9ubuntu0.9+esm1
5.22.1-9ubuntu0.9+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libperl5.22",
            "binary_version": "5.22.1-9ubuntu0.9+esm2"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.22.1-9ubuntu0.9+esm2"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.22.1-9ubuntu0.9+esm2"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.22.1-9ubuntu0.9+esm2"
        },
        {
            "binary_name": "perl-modules-5.22",
            "binary_version": "5.22.1-9ubuntu0.9+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:Pro:18.04:LTS
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.26.0-8ubuntu1
5.26.1-2ubuntu1
5.26.1-3
5.26.1-4
5.26.1-4build1
5.26.1-5
5.26.1-6
5.26.1-6ubuntu0.1
5.26.1-6ubuntu0.2
5.26.1-6ubuntu0.3
5.26.1-6ubuntu0.5
5.26.1-6ubuntu0.6
5.26.1-6ubuntu0.7
5.26.1-6ubuntu0.7+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libperl5.26",
            "binary_version": "5.26.1-6ubuntu0.7+esm2"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.26.1-6ubuntu0.7+esm2"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.26.1-6ubuntu0.7+esm2"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.26.1-6ubuntu0.7+esm2"
        },
        {
            "binary_name": "perl-modules-5.26",
            "binary_version": "5.26.1-6ubuntu0.7+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"
Ubuntu:Pro:20.04:LTS
perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.28.1-6build1
5.30.0-7
5.30.0-9
5.30.0-9build1
5.30.0-9ubuntu0.2
5.30.0-9ubuntu0.3
5.30.0-9ubuntu0.4
5.30.0-9ubuntu0.5
5.30.0-9ubuntu0.5+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libperl5.30",
            "binary_version": "5.30.0-9ubuntu0.5+esm2"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.30.0-9ubuntu0.5+esm2"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.30.0-9ubuntu0.5+esm2"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.30.0-9ubuntu0.5+esm2"
        },
        {
            "binary_name": "perl-modules-5.30",
            "binary_version": "5.30.0-9ubuntu0.5+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-7017.json"