DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
The format_event method (called by the event method) does not validate the contents of tags passed by the user. Tags can contain commas (allowing injection of additional tags) as well as newline characters, pipes, and colons, which allow injection of arbitrary metrics into the StatsD stream. An attempt to remove pipe characters using the s/|//g regex is ineffective because the pipe character is not properly escaped in it and is treated as a regex metacharacter, so the substitution operation has no effect.
An attacker able to supply data to event tags (e.g., from untrusted sources) can inject arbitrary metrics and tags, manipulating monitoring data and potentially compromising the integrity and confidentiality of collected telemetry data.
Apply patches available from the vendor according to references. As a workaround, restrict acceptance of data from untrusted sources as event tags and manually sanitize input data before passing it to the event method.
DataDog::DogStatsd for Perl in versions up to and including 0.07
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HBinary Datadog\
APPBinary\