#VU112028 OS Command Injection in File-Find-Rule - CVE-2011-10007
Published: June 27, 2025
Vulnerability identifier: #VU112028
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2011-10007
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
File-Find-Rule
File-Find-Rule
Software vendor:
RCLAMP
RCLAMP
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation when `grep()` encounters a specially crafted filename. A local user can place a specially crafted file onto the system and execute arbitrary commands with privileges of the user running the affected application.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
External links
- http://www.openwall.com/lists/oss-security/2025/06/05/4
- http://www.openwall.com/lists/oss-security/2025/06/06/1
- http://www.openwall.com/lists/oss-security/2025/06/06/3
- https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f.patch
- https://github.com/richardc/perl-file-find-rule/pull/4
- https://lists.debian.org/debian-lts-announce/2025/06/msg00006.html
- https://metacpan.org/release/RCLAMP/File-Find-Rule-0.34/source/lib/File/Find/Rule.pm#L423
- https://rt.cpan.org/Public/Bug/Display.html?id=64504