CVE-2017-10906 — Improper Neutralization of Special Elements in Fluentd

CWE-138 — Improper Neutralization of Special Elements8 documents6 sources

Severity

9.8CRITICALNVD

EPSS

4.7%

top 10.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fluentd Cloud Native Computing Foundation Fluentd Redhat Openstack

Timeline

PublishedDec 8

Latest updateMay 13

Description

Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶RubyGemsfluentd/fluentd0.12.29 — 0.12.41

▶NVDfluentd/fluentd12 versions+11

▶CVEListV5cloud_native_computing_foundation/fluentd0.12.29 through 0.12.40

▶NVDredhat/openstack13

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Fluentd Escape Sequence Injection Vulnerability↗2022-05-13

▶

OSV

Fluentd Escape Sequence Injection Vulnerability↗2022-05-13

▶

OSV

linux-lts-xenial, linux-aws vulnerabilities↗2019-10-23

▶

OSV

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities↗2019-10-22

▶

CVEList

CVE-2017-10906: Escape sequence injection vulnerability in Fluentd versions 0↗2017-12-08

▶

📋Vendor Advisories

Red Hat

fluentd: Escape sequence injection in filter_parser.rb:filter_stream can lead to arbitrary command execution when processing logs↗2017-11-07

▶

💬Community

Bugzilla

CVE-2017-10906 fluentd: Escape sequence injection in filter_parser.rb:filter_stream can lead to arbitrary command execution when processing logs↗2017-12-12

▶