Metrics
Monthly
Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl, allowing unauthenticated remote attackers to forge or corrupt statsd telemetry streams. The root cause is the _labels function's failure to strip or reject newlines and statsd control characters from tag label values before they are encoded into statsd UDP packets. Because statsd and dogstatsd protocols use newlines as metric delimiters, an attacker who can influence any label value flowing into the adapter can cause the server to parse additional attacker-controlled metrics. No public exploit has been identified at time of analysis, but SSVC rates the flaw as automatable with partial technical impact.
Metric injection in the Perl module Metrics::Any::Adapter::DogStatsd before 0.04 allows remote attackers to inject arbitrary StatsD/DogStatsD metrics by smuggling newline characters through unsanitized metric names and tags. Because the StatsD protocol treats newlines as packet delimiters for multiple metrics, attacker-controlled values forwarded into the adapter can forge additional metrics or tag payloads on the wire, with no public exploit identified at time of analysis and an EPSS score of 0.03% indicating low near-term exploitation probability.
Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject arbitrary StatsD metrics by supplying metric names or values containing newlines, colons, or pipes that the send method passes unvalidated into UDP packets. Because the StatsD protocol multiplexes multiple metrics per packet using newline delimiters, an attacker who controls any string flowing into a recorded metric can forge additional metrics, poisoning monitoring data and downstream alerting. EPSS is very low (0.03%), no public exploit is identified at time of analysis, and there is no CISA KEV listing.
A vulnerability was found in KBase Metrics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl, allowing unauthenticated remote attackers to forge or corrupt statsd telemetry streams. The root cause is the _labels function's failure to strip or reject newlines and statsd control characters from tag label values before they are encoded into statsd UDP packets. Because statsd and dogstatsd protocols use newlines as metric delimiters, an attacker who can influence any label value flowing into the adapter can cause the server to parse additional attacker-controlled metrics. No public exploit has been identified at time of analysis, but SSVC rates the flaw as automatable with partial technical impact.
Metric injection in the Perl module Metrics::Any::Adapter::DogStatsd before 0.04 allows remote attackers to inject arbitrary StatsD/DogStatsD metrics by smuggling newline characters through unsanitized metric names and tags. Because the StatsD protocol treats newlines as packet delimiters for multiple metrics, attacker-controlled values forwarded into the adapter can forge additional metrics or tag payloads on the wire, with no public exploit identified at time of analysis and an EPSS score of 0.03% indicating low near-term exploitation probability.
Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject arbitrary StatsD metrics by supplying metric names or values containing newlines, colons, or pipes that the send method passes unvalidated into UDP packets. Because the StatsD protocol multiplexes multiple metrics per packet using newline delimiters, an attacker who controls any string flowing into a recorded metric can forge additional metrics, poisoning monitoring data and downstream alerting. EPSS is very low (0.03%), no public exploit is identified at time of analysis, and there is no CISA KEV listing.
A vulnerability was found in KBase Metrics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.