| Title | BINARYのDataDog::DogStatsdにおける複数の脆弱性 |
|---|---|
| Summary | Perl用のDataDog::DogStatsdバージョン0.07まででは、イベントタグからのメトリック注入が許可されています。DataDog::DogStatsdは入力を適切にサニタイズしないため、信頼されていないソースからのデータによりメトリック注入が可能です。format_eventメソッド(eventメソッドで使用)はタグの内容を検証しません。タグにはカンマ(タグの注入を許可)、改行、パイプ、およびコロンが含まれる可能性があり、これがメトリック注入を引き起こします。パイプを除去しようとする正規表現は効果がなく、パイプがエスケープされていないため正規表現のメタキャラクタとして解釈されて効果を発揮しません。 |
| Possible impacts | ・当該ソフトウェアが扱う全ての情報が外部に漏れる可能性があります。 ・当該ソフトウェアが扱う全ての情報が書き換えられる可能性があります。 ・当該ソフトウェアが完全に停止する可能性があります。 |
| Solution | ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | June 5, 2026, midnight |
| Registration Date | June 11, 2026, 4:15 p.m. |
| Last Update | June 11, 2026, 4:15 p.m. |
| CVSS3.0 : 緊急 | |
| Score | 9.8 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| BINARY |
| DataDog::DogStatsd 0.07 およびそれ以前 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2026年06月11日] 掲載 |
June 11, 2026, 4:15 p.m. |
| Summary | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.) |
|---|---|
| Publication Date | June 6, 2026, 1:16 a.m. |
| Registration Date | June 6, 2026, 4:17 a.m. |
| Last Update | June 11, 2026, 12:01 a.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:binary:datadog\:\:dogstatsd:*:*:*:*:*:perl:*:* | 0.07 | ||||
| Summary | Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. |
|---|---|
| Publication Date | May 16, 2026, 11:16 p.m. |
| Registration Date | May 17, 2026, 4:14 a.m. |
| Last Update | May 19, 2026, 11:16 p.m. |
| Summary | Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. |
|---|---|
| Publication Date | May 18, 2026, 3:16 a.m. |
| Registration Date | May 18, 2026, 4:11 a.m. |
| Last Update | May 19, 2026, 2:40 a.m. |
| Summary | Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections. |
|---|---|
| Publication Date | June 5, 2026, 2:16 a.m. |
| Registration Date | June 5, 2026, 4:11 a.m. |
| Last Update | June 9, 2026, 1:33 a.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:sanbeg:etsy\:\:statsd:*:*:*:*:*:perl:*:* | 1.002002 | ||||