GHSA-8x3h-9qcg-hv3jCriticalCVSS 9.8
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. ...
🔗 CVE IDs covered (1)
📋 Description
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded.
Module names starting with "::" could be passed to the load function to specify arbitrary module paths.
Attackers able to influence module names passed to load could use that bug to execute arbitrary code.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2011-10043
- https://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or-bad-interfaces-make-good-people-do-bad-things.html
- https://metacpan.org/release/BINGOS/Module-Load-0.22/changes
- https://metacpan.org/release/BINGOS/Module-Load-0.22/diff/BINGOS/Module-Load-0.20/lib/Module/Load.pm
- https://github.com/advisories/GHSA-8x3h-9qcg-hv3j