JVNDB-2017-010280

Vulnerability from jvndb - Published: 2017-12-11 14:13 - Updated:2017-12-11 14:13
Severity ?
5.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Fluentd vulenrable to escape sequence injection
Details
Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability. Fluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs. Teppei Fukuda reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
References
Impacted products
Show details on JVN DB website
To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-010280.html",
  "dc:date": "2017-12-11T14:13+09:00",
  "dcterms:issued": "2017-12-11T14:13+09:00",
  "dcterms:modified": "2017-12-11T14:13+09:00",
  "description": "Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability.\r\n\r\nFluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs.\r\n\r\nTeppei Fukuda reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
  "link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-010280.html",
  "sec:cpe": {
    "#text": "cpe:/a:fluentd:fluentd",
    "@product": "Fluentd",
    "@vendor": "Cloud Native Computing Foundation (CNCF)",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "5.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "5.3",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2017-010280",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/vu/JVNVU95124098/index.html",
      "@id": "JVNVU#95124098",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10906",
      "@id": "CVE-2017-10906",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-10906",
      "@id": "CVE-2017-10906",
      "@source": "NVD"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/150.html",
      "@id": "CWE-150",
      "@title": "Improper Neutralization of Escape, Meta, or Control Sequences(CWE-150)"
    }
  ],
  "title": "Fluentd vulenrable to escape sequence injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.