Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a "pesky pipe" (such as passing "commands|" as a filename) or by passing arbitrary strings to eval().
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"fixed": "1.38"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/10xxx/CVE-2024-10224.json",
"cna_assigner": "canonical"
}{
"source": [
"DESCRIPTION",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:rschupp:modules\\:\\:scandeps:*:*:*:*:*:perl:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.36"
}
]
}