References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.

The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.

The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.

Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.

CWE-93

https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes

https://www.cve.org/CVERecord?id=CVE-2026-46719

https://www.cve.org/CVERecord?id=CVE-2026-46720

https://www.cve.org/CVERecord?id=CVE-2026-46739