CVE-2017-10906 : Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the

Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.

Published 2017-12-08 15:29:00

Updated 2021-08-04 17:14:47

Source JPCERT/CC

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2017-10906

Probability of exploitation activity in the next 30 days: 0.22%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 59 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-10906

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2017-10906

https://access.redhat.com/errata/RHSA-2018:2225

RHSA-2018:2225 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes

fluentd/CHANGELOG.md at v0.12 · fluent/fluentd · GitHub
Issue Tracking;Release Notes;Third Party Advisory
https://jvn.jp/en/vu/JVNVU95124098/index.html

JVNVU#95124098: Fluentd vulenrable to escape sequence injection
Issue Tracking;Third Party Advisory;VDB Entry
https://github.com/fluent/fluentd/pull/1733

filter_parser: Fix dumpped result for avoiding escape sequence injection by repeatedly · Pull Request #1733 · fluent/fluentd · GitHub
Issue Tracking;Patch;Third Party Advisory

Products affected by CVE-2017-10906

Redhat » Openstack » Version: 13
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.31
cpe:2.3:a:fluentd:fluentd:0.12.31:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.33
cpe:2.3:a:fluentd:fluentd:0.12.33:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.40
cpe:2.3:a:fluentd:fluentd:0.12.40:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.35
cpe:2.3:a:fluentd:fluentd:0.12.35:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.36
cpe:2.3:a:fluentd:fluentd:0.12.36:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.37
cpe:2.3:a:fluentd:fluentd:0.12.37:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.38
cpe:2.3:a:fluentd:fluentd:0.12.38:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.29
cpe:2.3:a:fluentd:fluentd:0.12.29:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.30
cpe:2.3:a:fluentd:fluentd:0.12.30:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.32
cpe:2.3:a:fluentd:fluentd:0.12.32:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.34
cpe:2.3:a:fluentd:fluentd:0.12.34:*:*:*:*:*:*:*
Matching versions
Fluentd » Fluentd » Version: 0.12.39
cpe:2.3:a:fluentd:fluentd:0.12.39:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2017-10906

Exploit prediction scoring system (EPSS) score for CVE-2017-10906

CVSS scores for CVE-2017-10906

References for CVE-2017-10906

Products affected by CVE-2017-10906