jvndb-2017-010280
Vulnerability from jvndb
Published
2017-12-11 14:13
Modified
2017-12-11 14:13
Severity ?
5.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Fluentd vulenrable to escape sequence injection
Details
Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability. Fluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs. Teppei Fukuda reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
References
JVN http://jvn.jp/en/vu/JVNVU95124098/index.html
CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10906
NVD https://nvd.nist.gov/vuln/detail/CVE-2017-10906
Improper Neutralization of Escape, Meta, or Control Sequences(CWE-150) https://cwe.mitre.org/data/definitions/150.html
Impacted products
Cloud Native Computing Foundation (CNCF)Fluentd
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-010280.html",
  "dc:date": "2017-12-11T14:13+09:00",
  "dcterms:issued": "2017-12-11T14:13+09:00",
  "dcterms:modified": "2017-12-11T14:13+09:00",
  "description": "Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability.\r\n\r\nFluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs.\r\n\r\nTeppei Fukuda reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.",
  "link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-010280.html",
  "sec:cpe": {
    "#text": "cpe:/a:fluentd:fluentd",
    "@product": "Fluentd",
    "@vendor": "Cloud Native Computing Foundation (CNCF)",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "5.0",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "5.3",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2017-010280",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/vu/JVNVU95124098/index.html",
      "@id": "JVNVU#95124098",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10906",
      "@id": "CVE-2017-10906",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-10906",
      "@id": "CVE-2017-10906",
      "@source": "NVD"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/150.html",
      "@id": "CWE-150",
      "@title": "Improper Neutralization of Escape, Meta, or Control Sequences(CWE-150)"
    }
  ],
  "title": "Fluentd vulenrable to escape sequence injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.