| Title | BINARYのDataDog::DogStatsdにおける複数の脆弱性 |
|---|---|
| Summary | DataDog::DogStatsdのPerl向けバージョン0.07以前にはメトリクスインジェクションの脆弱性があります。DataDog::DogStatsdは入力を適切にサニタイズしておらず、信頼できないソースからのデータによるメトリクスインジェクションを許してしまいます。send_statsメソッドはメトリクス名($stat変数)から改行コードを除去しないため、攻撃者がメトリクス名のプレフィックスを変更可能です。send_statsメソッドは値の内容($delta変数)を検証せず、特にset、gauge、count、histogramなど値のデータ型を制限しないメソッドからメトリクスがインジェクトされる恐れがあります。send_statsメソッドはタグの内容を検証せず、タグに改行、パイプ、コロンが含まれることがあり、これがメトリクスインジェクションを許す原因となっています。なおSYNOPSISにはサイトのフォームの"loginName"パラメータをタグとして渡す例が示されていますが、これは安全ではありません。 |
| Possible impacts | ・当該ソフトウェアが扱う全ての情報が外部に漏れる可能性があります。 ・当該ソフトウェアが扱う全ての情報が書き換えられる可能性があります。 ・当該ソフトウェアは停止しません。 |
| Solution | ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | June 5, 2026, midnight |
| Registration Date | June 11, 2026, 4:15 p.m. |
| Last Update | June 11, 2026, 4:15 p.m. |
| CVSS3.0 : 緊急 | |
| Score | 9.1 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| BINARY |
| DataDog::DogStatsd 0.07 およびそれ以前 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2026年06月11日] 掲載 |
June 11, 2026, 4:15 p.m. |
| Summary | Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. |
|---|---|
| Publication Date | May 16, 2026, 11:16 p.m. |
| Registration Date | May 17, 2026, 4:14 a.m. |
| Last Update | May 19, 2026, 11:16 p.m. |
| Summary | Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. |
|---|---|
| Publication Date | May 18, 2026, 3:16 a.m. |
| Registration Date | May 18, 2026, 4:11 a.m. |
| Last Update | May 19, 2026, 2:40 a.m. |
| Summary | Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections. |
|---|---|
| Publication Date | June 5, 2026, 2:16 a.m. |
| Registration Date | June 5, 2026, 4:11 a.m. |
| Last Update | June 9, 2026, 1:33 a.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:sanbeg:etsy\:\:statsd:*:*:*:*:*:perl:*:* | 1.002002 | ||||
| Summary | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe. |
|---|---|
| Publication Date | June 6, 2026, 1:16 a.m. |
| Registration Date | June 6, 2026, 4:17 a.m. |
| Last Update | June 11, 2026, 12:01 a.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:binary:datadog\:\:dogstatsd:*:*:*:*:*:perl:*:* | 0.07 | ||||