EUVD-2011-5236
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when grep() encounters a crafted filename.
A file handle is opened with the 2 argument form of open() allowing an attacker controlled filename to provide the MODE parameter to open(), turning the filename into a command to be executed.
Example:
$ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \ -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)
AnalysisAI
File::Find::Rule through version 0.34 contains an arbitrary code execution vulnerability in the grep() function where attacker-controlled filenames are passed unsafely to Perl's open() function using the 2-argument form, allowing command injection. This affects any Perl application using File::Find::Rule to search files in directories containing maliciously-named files. A proof-of-concept exists demonstrating command execution via filenames containing pipe characters (|), and the vulnerability requires user interaction (UI:R) to trigger by searching a directory with crafted filenames.
Technical ContextAI
File::Find::Rule is a Perl module (CPE: cpe:2.3:a:file_find_rule_project:file_find_rule:*:*:*:*:*:perl:*:*) that provides an object-oriented interface to Perl's File::Find functionality for recursive directory traversal and file filtering. The vulnerability stems from CWE-78 (Improper Neutralization of Special Elements used in an OS Command - 'OS Command Injection'). The root cause is the use of Perl's 2-argument open() form: open(FH, $filename) where $filename is user-controlled. In Perl, this form interprets special characters in the filename as shell metacharacters—a pipe character (|) at the end of a filename causes Perl to execute the string as a command rather than opening it as a file. This is a well-known Perl pitfall that should use the 3-argument form: open(FH, '<', $filename) to safely separate the mode from the filename.
RemediationAI
Upgrade File::Find::Rule to version 0.35 or later. Update via CPAN: cpan File::Find::Rule or perl -MCPAN -e 'install File::Find::Rule' Workaround: If immediate patching is not possible, avoid calling grep() on File::Find::Rule results in directories where untrusted users can create files. Validate or sanitize filenames before processing them. Mitigation: Restrict filesystem write permissions in shared or web-accessible directories. Ensure the Perl process runs with minimal necessary privileges (principle of least privilege) to limit the impact of command execution. Detection: Scan Perl installations for File::Find::Rule version ≤0.34 using: perl -MFile::Find::Rule -e 'print $File::Find::Rule::VERSION'. Monitor application logs for suspicious filenames containing shell metacharacters (|, ;, $(), backticks, etc.) in searched directories.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| upstream | released | 0.34-4 |
| jammy | released | 0.34-1ubuntu0.22.04.1 |
| noble | released | 0.34-3ubuntu0.24.04.1 |
| oracular | released | 0.34-3ubuntu0.24.10.1 |
| plucky | released | 0.34-3ubuntu0.25.04.1 |
| questing | not-affected | 0.34-4 |
Debian
Bug #1107311| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 0.34-1+deb11u1 | - |
| bullseye (security) | fixed | 0.34-1+deb11u1 | - |
| bookworm, bookworm (security) | fixed | 0.34-4~deb12u1 | - |
| trixie | fixed | 0.34-4 | - |
| forky, sid | fixed | 0.35-1 | - |
| bookworm | fixed | 0.34-4~deb12u1 | - |
| (unstable) | fixed | 0.34-4 | - |
Share
External POC / Exploit Code
Leaving vuln.today