Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Metrics::Any::Adapter::DogStatsd by PEVANS

    CVE-2026-50638 (GCVE-0-2026-50638)

    Vulnerability from nvd – Published: 2026-06-10 18:32 – Updated: 2026-06-19 15:32
    VLAI
    Title
    Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
    Summary
    Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-93 - Improper Neutralization of CRLF Sequences
    • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
    Assigner
    Impacted products
    Vendor Product Version
    PEVANS Metrics::Any::Adapter::DogStatsd Affected: 0 , < 0.04 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50638",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-11T19:10:59.333211Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T19:11:42.654Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Metrics-Any-Adapter-Statsd",
              "product": "Metrics::Any::Adapter::DogStatsd",
              "programRoutines": [
                {
                  "name": "Metrics::Any::Adapter::DogStatsd::_tags"
                }
              ],
              "vendor": "PEVANS",
              "versions": [
                {
                  "lessThan": "0.04",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-93",
                  "description": "CWE-93 Improper Neutralization of CRLF Sequences",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-150",
                  "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T15:32:58.508Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-9270"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-50637"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-50639"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to v0.04 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-50638",
        "datePublished": "2026-06-10T18:32:21.666Z",
        "dateReserved": "2026-06-05T12:07:20.886Z",
        "dateUpdated": "2026-06-19T15:32:58.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50638 (GCVE-0-2026-50638)

    Vulnerability from cvelistv5 – Published: 2026-06-10 18:32 – Updated: 2026-06-19 15:32
    VLAI
    Title
    Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
    Summary
    Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-93 - Improper Neutralization of CRLF Sequences
    • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
    Assigner
    Impacted products
    Vendor Product Version
    PEVANS Metrics::Any::Adapter::DogStatsd Affected: 0 , < 0.04 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50638",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-11T19:10:59.333211Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-11T19:11:42.654Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Metrics-Any-Adapter-Statsd",
              "product": "Metrics::Any::Adapter::DogStatsd",
              "programRoutines": [
                {
                  "name": "Metrics::Any::Adapter::DogStatsd::_tags"
                }
              ],
              "vendor": "PEVANS",
              "versions": [
                {
                  "lessThan": "0.04",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-93",
                  "description": "CWE-93 Improper Neutralization of CRLF Sequences",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-150",
                  "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T15:32:58.508Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-9270"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-50637"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2026-50639"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to v0.04 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-50638",
        "datePublished": "2026-06-10T18:32:21.666Z",
        "dateReserved": "2026-06-05T12:07:20.886Z",
        "dateUpdated": "2026-06-19T15:32:58.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }