OS Command Injection in File-Find-Rule - CVE-2011-10007
Published: June 27, 2025
Vulnerability identifier: #VU112028
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2011-10007
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: RCLAMP
Affected software:
File-Find-Rule
File-Find-Rule
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation when `grep()` encounters a specially crafted filename. A local user can place a specially crafted file onto the system and execute arbitrary commands with privileges of the user running the affected application.
How to mitigate CVE-2011-10007
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Sources
- http://www.openwall.com/lists/oss-security/2025/06/05/4
- http://www.openwall.com/lists/oss-security/2025/06/06/1
- http://www.openwall.com/lists/oss-security/2025/06/06/3
- https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f.patch
- https://github.com/richardc/perl-file-find-rule/pull/4
- https://lists.debian.org/debian-lts-announce/2025/06/msg00006.html
- https://metacpan.org/release/RCLAMP/File-Find-Rule-0.34/source/lib/File/Find/Rule.pm#L423
- https://rt.cpan.org/Public/Bug/Display.html?id=64504