Impact
Metrics::Any::Adapter::SignalFx for Perl, before version 0.04, fails to sanitize metric labels, enabling attackers to inject arbitrary metrics via the Statsd protocol when sending packets that contain newlines or control characters. This flaw, related to CWE-93 and CWE-150, permits malicious manipulation of monitoring data, potentially leading to data corruption or false alarms.
Affected Systems
The issue affects installations of PEVANS Metrics::Any::Adapter::SignalFx that are earlier than version 0.04. All earlier releases lack the protection against metric injection and should be considered vulnerable.
Risk and Exploitability
The CVSS score of 6.5, along with an EPSS score of < 1%, indicates a very low but nonzero probability of exploitation. The vulnerability is exploitable over the network by sending specially crafted Statsd packets to the SignalFx endpoint, so the attack vector is remote. Since the weakness is a failure to validate input, an adversary controlling the metric stream can achieve malicious metric injection without needing elevated privileges. Although not identified in CISA’s KEV list, the low EPSS score suggests a moderate risk that warrants prompt remediation.
OpenCVE Enrichment