Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-10906

Опубликовано: 07 нояб. 2017
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.

Отчет

This flaw requires particular preconditions to be exploitable, which are not common in supported deployments of fluentd. The vulnerable system must have all of:

  1. A filter_parser enabled in fluentd.conf
  2. Fluentd running in non-daemon mode or a bad syslog server that doesn't sanitise escape sequences (rsyslog does)
  3. A vulnerable terminal that happens to be running fluentd or manipulating the fluentd log file (for example tailing it) This issue affects the versions of fluentd as shipped with Red Hat OpenShift Enterprise 3. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Enterprise 3fluentdAffected
Red Hat OpenStack Platform 10 (Newton) Operational ToolsfluentdWill not fix
Red Hat OpenStack Platform 11 (Ocata) Operational ToolsfluentdWill not fix
Red Hat OpenStack Platform 12 (Pike) Operational ToolsfluentdWill not fix
Red Hat Virtualization 4fluentdWill not fix
Red Hat OpenStack Platform 13.0 Operational Tools for RHEL 7fluentdFixedRHSA-2018:222519.07.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-138
https://bugzilla.redhat.com/show_bug.cgi?id=1524783fluentd: Escape sequence injection in filter_parser.rb:filter_stream can lead to arbitrary command execution when processing logs

EPSS

Процентиль: 80%
0.01357
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2017-10906

CVSS3: 9.8
nvd
около 8 лет назад

Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.

debian логотип

CVE-2017-10906

CVSS3: 9.8
debian
около 8 лет назад

Escape sequence injection vulnerability in Fluentd versions 0.12.29 th ...

github логотип

GHSA-5jrp-w8fr-mrww

CVSS3: 9.8
github
больше 3 лет назад

Fluentd Escape Sequence Injection Vulnerability

EPSS

Процентиль: 80%
0.01357
Низкий

5.3 Medium

CVSS3