SB2025062782 - Arbitrary code execution in File::Find::Rule
Published: June 27, 2025
Security Bulletin ID
SB2025062782
Severity
Low
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2011-10007)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation when `grep()` encounters a specially crafted filename. A local user can place a specially crafted file onto the system and execute arbitrary commands with privileges of the user running the affected application.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://www.openwall.com/lists/oss-security/2025/06/05/4
- http://www.openwall.com/lists/oss-security/2025/06/06/1
- http://www.openwall.com/lists/oss-security/2025/06/06/3
- https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f.patch
- https://github.com/richardc/perl-file-find-rule/pull/4
- https://lists.debian.org/debian-lts-announce/2025/06/msg00006.html
- https://metacpan.org/release/RCLAMP/File-Find-Rule-0.34/source/lib/File/Find/Rule.pm#L423
- https://rt.cpan.org/Public/Bug/Display.html?id=64504