Описание
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when grep() encounters a crafted filename.
A file handle is opened with the 2 argument form of open() allowing an attacker controlled filename to provide the MODE parameter to open(), turning the filename into a command to be executed.
Example:
$ mkdir /tmp/poc; echo > "/tmp/poc/|id"
$ perl -MFile::Find::Rule
-E 'File::Find::Rule->grep("foo")->in("/tmp/poc")'
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
A flaw was found in perl-file-find-rule. The grep() function within File::Find::Rule versions up to 0.34 is vulnerable to arbitrary code execution if provided with a specially crafted filename. This vulnerability allows an attacker to supply a filename that, when opened, executes arbitrary code via the open() function's mode parameter. Consequently, an attacker can achieve remote code execution by providing a malicious filename.
Отчет
This vulnerability marked as Important rather than Moderate because it enables arbitrary code execution (ACE) through a common and trusted interface—filename handling. Specifically, the use of Perl’s two-argument open() within the grep() method allows attacker-controlled filenames to be interpreted as shell commands when prefixed with special characters like |. Since File::Find::Rule is often used in automation scripts, system utilities, and recursive file operations, this flaw transforms a seemingly benign filename input into an execution vector, violating a core security boundary between data and code. The vulnerability does not require elevated privileges or complex exploitation chains; a single crafted filename is enough to trigger shell execution, making the flaw exploitable in real-world scenarios such as CI/CD pipelines or file indexing systems.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | perl-File-Find-Rule | Out of support scope | ||
| Red Hat Enterprise Linux 6 | perl-File-Find-Rule-Perl | Out of support scope | ||
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | perl-File-Find-Rule-Perl | Fixed | RHSA-2025:9740 | 26.06.2025 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | perl-File-Find-Rule | Fixed | RHSA-2025:9741 | 26.06.2025 |
| Red Hat Enterprise Linux 8 | perl-File-Find-Rule | Fixed | RHSA-2025:9605 | 25.06.2025 |
| Red Hat Enterprise Linux 9 | perl-File-Find-Rule | Fixed | RHSA-2025:9517 | 24.06.2025 |
| Red Hat Enterprise Linux 9.4 Extended Update Support | perl-File-Find-Rule | Fixed | RHSA-2025:9658 | 25.06.2025 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \ -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \ -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code ...
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \ -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)
7.3 High
CVSS3