CVE-2018-18838 - OpenCVE

An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
My-netdata	Netdata

Configuration 1 [-]

cpe:2.3:a:my-netdata:netdata:1.10.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca	Patch Third Party Advisory
https://github.com/netdata/netdata/pull/4521	Third Party Advisory
https://www.red4sec.com/cve/netdata_log_injection.txt	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-18T15:10:28

Updated: 2019-06-18T15:10:28

Reserved: 2018-10-30T00:00:00

Link: CVE-2018-18838

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-06-18T16:15:10.680

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-18838

JSON object: View

Redhat Information

No data.

CWE

CWE-116

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-18T15:10:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netdata/netdata/pull/4521"}, {"tags": ["x_refsource_MISC"], "url": "https://www.red4sec.com/cve/netdata_log_injection.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18838", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca", "refsource": "MISC", "url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"}, {"name": "https://github.com/netdata/netdata/pull/4521", "refsource": "CONFIRM", "url": "https://github.com/netdata/netdata/pull/4521"}, {"name": "https://www.red4sec.com/cve/netdata_log_injection.txt", "refsource": "MISC", "url": "https://www.red4sec.com/cve/netdata_log_injection.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18838", "datePublished": "2019-06-18T15:10:28", "dateReserved": "2018-10-30T00:00:00", "dateUpdated": "2019-06-18T15:10:28", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:my-netdata:netdata:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "16D5826B-3CFF-4A59-8CE1-226FACF34F9A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry."}, {"lang": "es", "value": "Un problema fue descubierto en Netdata 1.10.0. La inyecci\u00f3n de registro (o la falsificaci\u00f3n de registro) existe a trav\u00e9s de una secuencia% 0a en el par\u00e1metro url para api / v1 / registry."}], "id": "CVE-2018-18838", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-18T16:15:10.680", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/netdata/netdata/pull/4521"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.red4sec.com/cve/netdata_log_injection.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}]}