CVE-2008-7319
published 2017-11-07CVE-2008-7319: The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before…
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.19%
92.6th percentile
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| net-ping-external_project | net-ping-external | <= 0.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Shell command injection via unsanitized arguments (e.g., invalid hostnames containing shell metacharacters) passed to backticks in External.pm of Net::Ping::External ↗
- →Monitor for unexpected child process spawning from Perl processes invoking Net::Ping::External, particularly ping-related commands with anomalous hostname arguments containing shell metacharacters (e.g., `;`, `|`, `` ` ``, `$()`). ↗
- ·Vulnerability affects Net::Ping::External through version 0.15 only; patched in perl-Net-Ping-External-0.15-11 (Fedora packages). Verify the installed version before applying detection logic. ↗
- ·The injection point is specifically the backtick operator in External.pm; detection should focus on that file/module being loaded in conjunction with untrusted hostname input. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8624-26q6-28m7: The Net::Ping::External extension through 0
ghsa_unreviewed·2022-05-17
CVE-2008-7319 [CRITICAL] CWE-77 GHSA-8624-26q6-28m7: The Net::Ping::External extension through 0
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.
OSV
CVE-2008-7319: The Net::Ping::External extension through 0
osv·2017-11-07·CVSS 9.8
CVE-2008-7319 [CRITICAL] CVE-2008-7319: The Net::Ping::External extension through 0
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-7319 perl-Net-Ping-External: Unproper argument sanitization [fedora-all]
bugzilla·2017-11-08·CVSS 9.8
CVE-2008-7319 [CRITICAL] CVE-2008-7319 perl-Net-Ping-External: Unproper argument sanitization [fedora-all]
CVE-2008-7319 perl-Net-Ping-External: Unproper argument sanitization [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported vers
Bugzilla
CVE-2008-7319 perl-Net-Ping-External: Unproper argument sanitization
bugzilla·2017-11-08·CVSS 9.8
CVE-2008-7319 [CRITICAL] CVE-2008-7319 perl-Net-Ping-External: Unproper argument sanitization
CVE-2008-7319 perl-Net-Ping-External: Unproper argument sanitization
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.
Upstream issue:
https://rt.cpan.org/Public/Bug/Display.html?id=33230
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881097
http://www.openwall.com/lists/oss-security/2017/11/07/4
Discussion:
Created perl-Net-Ping-External tracking bugs for this issue:
Affects: fedora-all [bug 1510785]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially s
http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patchhttp://www.openwall.com/lists/oss-security/2017/11/07/4https://bugs.debian.org/881097https://rt.cpan.org/Public/Bug/Display.html?id=33230http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patchhttp://www.openwall.com/lists/oss-security/2017/11/07/4https://bugs.debian.org/881097https://rt.cpan.org/Public/Bug/Display.html?id=33230
2017-11-07
Published