CVE-2013-1437

NameCVE-2013-1437
DescriptionEval injection vulnerability in the Module-Metadata module before 1.000015 for Perl allows remote attackers to execute arbitrary Perl code via the $Version value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libmodule-metadata-perl (PTS)buster, stretch1.000033-1fixed
bullseye, sid1.000037-1fixed
perl (PTS)stretch5.24.1-3+deb9u7fixed
stretch (security)5.24.1-3+deb9u5fixed
buster5.28.1-6+deb10u1fixed
bullseye5.32.1-2fixed
sid5.32.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libmodule-metadata-perlsourcewheezy1.000009-1+deb7u1
libmodule-metadata-perlsource(unstable)1.000015-1
perlsourcesqueeze(not affected)
perlsourcewheezy(not affected)
perlsource(unstable)5.18.1-2

Notes

[wheezy] - perl <not-affected> (Bug was introduced later)
[squeeze] - perl <not-affected> (Does not yet contain Module::Metadata)
this is by 'design', but previous to version Module::Metadata 1.000015
the statement was This module provides a standard way to gather metadata
about a .pm file *without* executing unsafe code.

Search for package or bug name: Reporting problems