CVE-2018-17572
published 2020-03-02CVE-2018-17572: InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
PriorityP418medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.73%
49.5th percentile
InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | influxdb | < influxdb 0.9.6.1+dfsg1-1 (bookworm) | influxdb 0.9.6.1+dfsg1-1 (bookworm) |
| github.com | influxdata_influxdb | >= 0 < 0.9.6 | 0.9.6 |
| influxdata | influxdb | <= 0.9.5 | — |
| influxdata | influxdb | >= 0 < 0.9.6.1+dfsg1-1 | 0.9.6.1+dfsg1-1 |
| influxdata | influxdb | >= 0 < 0.9.6.1+dfsg1-1 | 0.9.6.1+dfsg1-1 |
| influxdata | influxdb | >= 0 < 0.9.6.1+dfsg1-1 | 0.9.6.1+dfsg1-1 |
| influxdata | influxdb | >= 0 < 0.9.6.1+dfsg1-1 | 0.9.6.1+dfsg1-1 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv4.8MEDIUM
vendor_debian4.8MEDIUM
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2018-17572: influxdb - InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
vendor_debian·2018·CVSS 4.8
CVE-2018-17572 [MEDIUM] CVE-2018-17572: influxdb - InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
Scope: local
bookworm: resolved (fixed in 0.9.6.1+dfsg1-1)
bullseye: resolved (fixed in 0.9.6.1+dfsg1-1)
forky: resolved (fixed in 0.9.6.1+dfsg1-1)
sid: resolved (fixed in 0.9.6.1+dfsg1-1)
trixie: resolved (fixed in 0.9.6.1+dfsg1-1)
Red Hat
influxdb: Reflected cross-site-scripting in the Write Data module
vendor_redhat·2015-12-08·CVSS 4.8
CVE-2018-17572 [MEDIUM] CWE-79 influxdb: Reflected cross-site-scripting in the Write Data module
influxdb: Reflected cross-site-scripting in the Write Data module
InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
Package: servicemesh-prometheus (OpenShift Service Mesh 1) - Not affected
Package: openshift4/ose-ovn-kubernetes (Red Hat OpenShift Container Platform 4) - Not affected
Package: openshift4/ose-prometheus (Red Hat OpenShift Container Platform 4) - Not affected
GHSA
InfluxDB Reflected Cross-site Scripting
ghsa·2022-05-24
CVE-2018-17572 [MEDIUM] CWE-79 InfluxDB Reflected Cross-site Scripting
InfluxDB Reflected Cross-site Scripting
InfluxDB 0.9.5 has Reflected XSS in the admin panel via the Write Data module.
OSV
InfluxDB Reflected Cross-site Scripting
osv·2022-05-24
CVE-2018-17572 [MEDIUM] InfluxDB Reflected Cross-site Scripting
InfluxDB Reflected Cross-site Scripting
InfluxDB 0.9.5 has Reflected XSS in the admin panel via the Write Data module.
OSV
CVE-2018-17572: InfluxDB 0
osv·2020-03-02·CVSS 4.8
CVE-2018-17572 [MEDIUM] CVE-2018-17572: InfluxDB 0
InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-17572 golang-github-influxdb-influxdb: influxdb: Reflected cross-site-scripting in the Write Data module [epel-6]
bugzilla·2020-03-11·CVSS 4.8
CVE-2018-17572 [MEDIUM] CVE-2018-17572 golang-github-influxdb-influxdb: influxdb: Reflected cross-site-scripting in the Write Data module [epel-6]
CVE-2018-17572 golang-github-influxdb-influxdb: influxdb: Reflected cross-site-scripting in the Write Data module [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion
Bugzilla
CVE-2018-17572 golang-github-influxdb-influxdb: influxdb: Reflected cross-site-scripting in the Write Data module [fedora-30]
bugzilla·2020-03-11·CVSS 4.8
CVE-2018-17572 [MEDIUM] CVE-2018-17572 golang-github-influxdb-influxdb: influxdb: Reflected cross-site-scripting in the Write Data module [fedora-30]
CVE-2018-17572 golang-github-influxdb-influxdb: influxdb: Reflected cross-site-scripting in the Write Data module [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Disc
Bugzilla
CVE-2018-17572 influxdb: Reflected cross-site-scripting in the Write Data module
bugzilla·2020-03-09·CVSS 4.8
CVE-2018-17572 [MEDIUM] CVE-2018-17572 influxdb: Reflected cross-site-scripting in the Write Data module
CVE-2018-17572 influxdb: Reflected cross-site-scripting in the Write Data module
InfluxDB 0.9.5 has Reflected XSS in the Write Data module.
References:
https://github.com/influxdata/influxdb/releases/tag/v0.9.6
https://gist.github.com/Raghavrao29/1cb84f1f2d8ce993fd7b2d1366d35f48
Discussion:
This cross-site-scripting (XSS) vulnerability affects the admin GUI of InfluxDB.
Furthermore, in InfluxDB v1.2 the admin GUI was deprecated and disabled by default (thanks for the find jpadman).
Ref: https://docs.influxdata.com/influxdb/v1.2/tools/web_admin/
OpenShift ServiceMesh vendors InfluxDB v1.2.3+ in servicesh-prometheus and is not vulnerable. Plus the vendored code, is just the client libraries for InfluxDB.
---
The following OpenShift containers only vendor in the InfluxDB client versi
2020-03-02
Published