All the vulnerabilites related to Cloud Native Computing Foundation (CNCF) - Fluentd
cve-2017-10906
Vulnerability from cvelistv5
Published
2017-12-08 15:00
Modified
2024-08-05 17:50
Severity ?
EPSS score ?
Summary
Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2225 | vendor-advisory, x_refsource_REDHAT | |
| https://jvn.jp/en/vu/JVNVU95124098/index.html | x_refsource_MISC | |
| https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes | x_refsource_CONFIRM | |
| https://github.com/fluent/fluentd/pull/1733 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Cloud Native Computing Foundation (CNCF) | Fluentd |
Version: 0.12.29 through 0.12.40 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:50:12.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:2225",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2225"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluent/fluentd/pull/1733"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Fluentd",
"vendor": "Cloud Native Computing Foundation (CNCF)",
"versions": [
{
"status": "affected",
"version": "0.12.29 through 0.12.40"
}
]
}
],
"datePublic": "2017-12-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Escape Sequence Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-20T09:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "RHSA-2018:2225",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2225"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluent/fluentd/pull/1733"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2017-10906",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Fluentd",
"version": {
"version_data": [
{
"version_value": "0.12.29 through 0.12.40"
}
]
}
}
]
},
"vendor_name": "Cloud Native Computing Foundation (CNCF)"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Escape Sequence Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:2225",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2225"
},
{
"name": "https://jvn.jp/en/vu/JVNVU95124098/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
},
{
"name": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes",
"refsource": "CONFIRM",
"url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
},
{
"name": "https://github.com/fluent/fluentd/pull/1733",
"refsource": "CONFIRM",
"url": "https://github.com/fluent/fluentd/pull/1733"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2017-10906",
"datePublished": "2017-12-08T15:00:00",
"dateReserved": "2017-07-04T00:00:00",
"dateUpdated": "2024-08-05T17:50:12.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2017-010280
Vulnerability from jvndb
Published
2017-12-11 14:13
Modified
2017-12-11 14:13
Severity ?
Summary
Fluentd vulenrable to escape sequence injection
Details
Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability.
Fluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs.
Teppei Fukuda reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/vu/JVNVU95124098/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10906 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2017-10906 | |
| Improper Neutralization of Escape, Meta, or Control Sequences(CWE-150) | https://cwe.mitre.org/data/definitions/150.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Cloud Native Computing Foundation (CNCF) | Fluentd |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-010280.html",
"dc:date": "2017-12-11T14:13+09:00",
"dcterms:issued": "2017-12-11T14:13+09:00",
"dcterms:modified": "2017-12-11T14:13+09:00",
"description": "Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability.\r\n\r\nFluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs.\r\n\r\nTeppei Fukuda reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-010280.html",
"sec:cpe": {
"#text": "cpe:/a:fluentd:fluentd",
"@product": "Fluentd",
"@vendor": "Cloud Native Computing Foundation (CNCF)",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-010280",
"sec:references": [
{
"#text": "http://jvn.jp/en/vu/JVNVU95124098/index.html",
"@id": "JVNVU#95124098",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10906",
"@id": "CVE-2017-10906",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-10906",
"@id": "CVE-2017-10906",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/150.html",
"@id": "CWE-150",
"@title": "Improper Neutralization of Escape, Meta, or Control Sequences(CWE-150)"
}
],
"title": "Fluentd vulenrable to escape sequence injection"
}