cbcvebase.
CVE-2008-7319
published 2017-11-07

CVE-2008-7319: The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before…

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.19%
92.6th percentile
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.

Affected

1 ranges
VendorProductVersion rangeFixed in
net-ping-external_projectnet-ping-external<= 0.15

Detection & IOCsextracted from sources · hover to see the quote

  • Shell command injection via unsanitized arguments (e.g., invalid hostnames containing shell metacharacters) passed to backticks in External.pm of Net::Ping::External
  • Monitor for unexpected child process spawning from Perl processes invoking Net::Ping::External, particularly ping-related commands with anomalous hostname arguments containing shell metacharacters (e.g., `;`, `|`, `` ` ``, `$()`).
  • ·Vulnerability affects Net::Ping::External through version 0.15 only; patched in perl-Net-Ping-External-0.15-11 (Fedora packages). Verify the installed version before applying detection logic.
  • ·The injection point is specifically the backtick operator in External.pm; detection should focus on that file/module being loaded in conjunction with untrusted hostname input.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.