CVE-2018-18838 - OpenCVE

An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
My-netdata	Netdata

Configuration 1 [-]

cpe:2.3:a:my-netdata:netdata:1.10.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca
https://github.com/netdata/netdata/pull/4521
https://www.red4sec.com/cve/netdata_log_injection.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-18T15:10:28

Updated: 2024-08-05T11:23:08.172Z

Reserved: 2018-10-30T00:00:00

Link: CVE-2018-18838

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-06-18T16:15:10.680

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-18838

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-18T15:10:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netdata/netdata/pull/4521"}, {"tags": ["x_refsource_MISC"], "url": "https://www.red4sec.com/cve/netdata_log_injection.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18838", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca", "refsource": "MISC", "url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"}, {"name": "https://github.com/netdata/netdata/pull/4521", "refsource": "CONFIRM", "url": "https://github.com/netdata/netdata/pull/4521"}, {"name": "https://www.red4sec.com/cve/netdata_log_injection.txt", "refsource": "MISC", "url": "https://www.red4sec.com/cve/netdata_log_injection.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:23:08.172Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/netdata/netdata/pull/4521"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.red4sec.com/cve/netdata_log_injection.txt"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18838", "datePublished": "2019-06-18T15:10:28", "dateReserved": "2018-10-30T00:00:00", "dateUpdated": "2024-08-05T11:23:08.172Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:my-netdata:netdata:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "16D5826B-3CFF-4A59-8CE1-226FACF34F9A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry."}, {"lang": "es", "value": "Un problema fue descubierto en Netdata 1.10.0. La inyecci\u00f3n de registro (o la falsificaci\u00f3n de registro) existe a trav\u00e9s de una secuencia% 0a en el par\u00e1metro url para api / v1 / registry."}], "id": "CVE-2018-18838", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-18T16:15:10.680", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/netdata/netdata/pull/4521"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.red4sec.com/cve/netdata_log_injection.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}]}