CRITICAL🇵🇱 Wersja polska

CVE-2026-11362

CVSS 9.8pub. 2026-06-05upd. 2026-06-10

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)

🤖 AI Analysis
How it works

The format_event method (called by the event method) does not validate the contents of tags passed by the user. Tags can contain commas (allowing injection of additional tags) as well as newline characters, pipes, and colons, which allow injection of arbitrary metrics into the StatsD stream. An attempt to remove pipe characters using the s/|//g regex is ineffective because the pipe character is not properly escaped in it and is treated as a regex metacharacter, so the substitution operation has no effect.

Impact

An attacker able to supply data to event tags (e.g., from untrusted sources) can inject arbitrary metrics and tags, manipulating monitoring data and potentially compromising the integrity and confidentiality of collected telemetry data.

Mitigation & patch

Apply patches available from the vendor according to references. As a workaround, restrict acceptance of data from untrusted sources as event tags and manually sanitize input data before passing it to the event method.

Who is affected

DataDog::DogStatsd for Perl in versions up to and including 0.07

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Binary Datadog\

    APP
    Binary
    \
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-9270CRITICAL9.1PL ✓ten sam produkt

DataDog::DogStatsd dla Perl — metric injection poprzez brak sanityzacji danych wejściowych