Netdata vulnerable to command injection
CVE-2023-22496

8.1HIGH

Key Information:

Vendor: Netdata
Status: Netdata
Vendor: CVE Published:; 14 January 2023

What is CVE-2023-22496?

Netdata, an open-source real-time infrastructure monitoring tool, contains a vulnerability that allows attackers to execute arbitrary commands on the Netdata agent. This occurs when an attacker establishes a streaming connection and triggers an alert, thereby exploiting the function health_alarm_execute. Due to improper input handling, the registry_hostname argument can be manipulated to include malicious commands. When utilized, this vulnerability enables remote execution as the user running the Netdata Agent, commonly named netdata. To mitigate this issue, ensure updates to Netdata agent version 1.37 or v1.36.0-409 are applied. Temporarily disabling the streaming feature or restricting port access to trusted connections can also help minimize exposure.

Affected Version(s)

netdata < 1.36.0-409 < 1.36.0-409

netdata < 1.37 < 1.37

References

https://github.com/netdata/netdata/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2023
Vulnerability Reserved
Dec 29, 2022