Description
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://rt.cpan.org/Public/Bug/Display.html?id=33230
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugs.debian.org/881097
Issue Tracking, Mailing List, Patch, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2017/11/07/4
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch
Scores
CVSS v3
9.8
EPSS
0.0619
EPSS Percentile
92.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (1)
net-ping-external_project/net-ping-external
< 0.15
Published
Nov 07, 2017
Tracked Since
Feb 18, 2026