CVE-2008-7319
Published: 7 November 2017
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.
Priority
Status
Package | Release | Status |
---|---|---|
libnet-ping-external-perl Launchpad, Ubuntu, Debian |
kinetic |
Does not exist
|
lunar |
Does not exist
|
|
xenial |
Needed
|
|
artful |
Ignored
(end of life)
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7319
- https://rt.cpan.org/Public/Bug/Display.html?id=33230
- http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch
- http://www.openwall.com/lists/oss-security/2017/11/07/4
- https://bugs.debian.org/881097
- NVD
- Launchpad
- Debian