HTTP Header Injection in Netdata Affects Multiple Versions
CVE-2018-18837

6.1MEDIUM

Key Information:

Vendor

My-netdata

Status
Netdata
Vendor
CVE Published:
18 June 2019

What is CVE-2018-18837?

An HTTP Header Injection vulnerability has been identified in the Netdata application, specifically in version 1.10.0. This issue arises from improper handling of the 'filename' parameter in the api/v1/data endpoint. The vulnerability allows attackers to inject headers through crafted requests, potentially leading to CSRF or other attacks. It is crucial for users and administrators of Netdata to apply necessary patches and monitor their systems to mitigate any risks associated with this vulnerability.

References

https://github.com/netdata/netdata/commit/92327c9ec211bd1...
x_refsource_MISC
https://github.com/netdata/netdata/blob/798c141c49ee85bdd...
x_refsource_MISC
https://github.com/netdata/netdata/pull/4521
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.