CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22497 – Netdata is vulnerable to improper authentication
https://notcve.org/view.php?id=CVE-2023-22497
14 Jan 2023 — Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased ... • https://github.com/netdata/netdata/releases/tag/v1.37.0 • CWE-287: Improper Authentication CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22496 – Netdata vulnerable to command injection
https://notcve.org/view.php?id=CVE-2023-22496
14 Jan 2023 — Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. An attacker with the ability to establish a streaming connection can execute arbitrary commands on the targeted Netdata agent. When an alert is triggered, the function `health_alarm_execute` is called. This function performs different checks and then enqueues a command by calling `spawn_enq_cmd`. This command is populated with several arguments that are not sanitized. • https://github.com/netdata/netdata/security/advisories/GHSA-xg38-3vmw-2978 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-18836
https://notcve.org/view.php?id=CVE-2018-18836
18 Jun 2019 — An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c. Un problema fue descubierto en Netdata 1.10.0. La inyección JSON existe a través del parámetro api / v1 / data tqx debido a web_client_api_request_v1_data en web / api / web_api_v1.c. • https://github.com/netdata/netdata/blob/798c141c49ee85bddc8f48f25d2cb593ec96da07/web/api/web_api_v1.c#L388 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18837
https://notcve.org/view.php?id=CVE-2018-18837
18 Jun 2019 — An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c. Un problema fue descubierto en Netdata 1.10.0. La Inyección de encabezado HTTP existe a través del parámetro api / v1 / nombre de archivo de datos debido a web_client_api_request_v1_data en web / api / web_api_v1.c. • https://github.com/netdata/netdata/blob/798c141c49ee85bddc8f48f25d2cb593ec96da07/web/api/web_api_v1.c#L367-L370 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18838
https://notcve.org/view.php?id=CVE-2018-18838
18 Jun 2019 — An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry. Un problema fue descubierto en Netdata 1.10.0. La inyección de registro (o la falsificación de registro) existe a través de una secuencia% 0a en el parámetro url para api / v1 / registry. • https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18839
https://notcve.org/view.php?id=CVE-2018-18839
18 Jun 2019 — An issue was discovered in Netdata 1.10.0. Full Path Disclosure (FPD) exists via api/v1/alarms. NOTE: the vendor says "is intentional. ** EN DISPUTA** Se descubrió un problema en Netdata 1.10.0. La divulgación de ruta completa (FPD) existe a través de api / v1 / alarms. NOTA: el fabricante dice "es intencional". • https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 2CVE-2019-9834 – NetData 1.13.0 - HTML Injection
https://notcve.org/view.php?id=CVE-2019-9834
15 Mar 2019 — The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot ** EN DISPUTA ** La... • https://www.exploit-db.com/exploits/46545 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •