Impact
Net::Statsd::Lite versions prior to 0.9.0 permit the creation of metric names that contain newline, colon, or pipe characters. These characters are interpreted by the StatsD protocol as delimiters, effectively allowing a single metric string to be parsed as multiple metrics or to manipulate the names of metrics sent to the server.
Affected Systems
The vulnerable component is the Perl module Net::Statsd::Lite distributed by RRWO. Any installation using a version older than 0.9.0 is affected. The fix was released in version 0.9.0 and later.
Risk and Exploitability
Based on the description, it is inferred that exploitation requires the ability to send metrics through the vulnerable library to a StatsD server. By inserting prohibited characters such as newlines, colons, or pipes into the metric name, the attacker can inject additional metrics or alter existing ones, thereby compromising the integrity of monitoring data. This does not allow remote code execution. The CVSS score of 6.5 indicates moderate severity, while the EPSS score of < 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog.
OpenCVE Enrichment