製品・ソフトウェアに関する情報

JVN脆弱性詳細

Tom Molesworth (TEAM)のNet::Async::Statsd::ClientにおけるCRLF インジェクションの脆弱性

Title	Tom Molesworth (TEAM)のNet::Async::Statsd::ClientにおけるCRLF インジェクションの脆弱性
Summary	Net::Async::Statsd::Client のバージョン 0.005 までの Perl には、メトリックインジェクションの脆弱性があります。メトリック名に改行、コロン、またはパイプが含まれていないかチェックされていません。信頼できないソースから生成されたメトリックが、追加の statsd メトリックを注入する可能性があります。
Possible impacts	・当該ソフトウェアが扱う情報の一部が外部に漏れる可能性があります。・当該ソフトウェアが扱う情報の一部が書き換えられる可能性があります。・当該ソフトウェアは停止しません。
Solution	ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 4, 2026, midnight
Registration Date	June 9, 2026, 2:10 p.m.
Last Update	June 9, 2026, 2:10 p.m.

Affected System

Tom Molesworth (TEAM)

Net::Async::Statsd::Client 0.005 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2026-46719	https://www.cve.org/CVERecord?id=CVE-2026-46719
2	CVE-2026-46720	https://www.cve.org/CVERecord?id=CVE-2026-46720
3	CVE-2026-8722	https://www.cve.org/CVERecord?id=CVE-2026-8722
National Vulnerability Database (NVD)
4	CVE-2026-8722	https://nvd.nist.gov/vuln/detail/CVE-2026-8722

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-93	https://cwe.mitre.org/data/definitions/93.html

Change Log

No	Changed Details	Date of change
1	[2026年06月09日] 掲載	June 9, 2026, 2:10 p.m.

NVD Vulnerability Information

CVE-2026-46719

Summary	Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Publication Date	May 16, 2026, 11:16 p.m.
Registration Date	May 17, 2026, 4:14 a.m.
Last Update	May 19, 2026, 11:16 p.m.

Related information, measures and tools

No	URL	refsource
1	https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch	9b29abf9-4ab0-4765-b253-1875cd9b441e
2	https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes	9b29abf9-4ab0-4765-b253-1875cd9b441e
3	http://www.openwall.com/lists/oss-security/2026/05/16/9	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-93	CRLF インジェクション	https://cwe.mitre.org/data/definitions/93.html

CVE-2026-46720

Summary	Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Publication Date	May 18, 2026, 3:16 a.m.
Registration Date	May 18, 2026, 4:11 a.m.
Last Update	May 19, 2026, 2:40 a.m.

Related information, measures and tools

No	URL	refsource
1	https://github.com/robrwo/Net-Statsd-Tiny/commit/06f814f52fbcc0b2afddf7a2d6f8137fd3cede13.patch	9b29abf9-4ab0-4765-b253-1875cd9b441e
2	https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes	9b29abf9-4ab0-4765-b253-1875cd9b441e
3	https://www.cve.org/CVERecord?id=CVE-2026-46719	9b29abf9-4ab0-4765-b253-1875cd9b441e

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-93	CRLF インジェクション	https://cwe.mitre.org/data/definitions/93.html

CVE-2026-8722

Summary	Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Publication Date	June 4, 2026, 9:17 a.m.
Registration Date	June 5, 2026, 4:10 a.m.
Last Update	June 9, 2026, 1:39 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:team:net\:\:async\:\:statsd\:\:client::::::perl::*			0.005

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.cve.org/CVERecord?id=CVE-2026-46719	9b29abf9-4ab0-4765-b253-1875cd9b441e
2	https://www.cve.org/CVERecord?id=CVE-2026-46720	9b29abf9-4ab0-4765-b253-1875cd9b441e

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-93	CRLF インジェクション	https://cwe.mitre.org/data/definitions/93.html