Skip to content

Improved fix for #2261.#2275

Merged
manolama merged 1 commit into
OpenTSDB:masterfrom
manolama:tweaks
Apr 11, 2023
Merged

Improved fix for #2261.#2275
manolama merged 1 commit into
OpenTSDB:masterfrom
manolama:tweaks

Conversation

@manolama

Copy link
Copy Markdown
Member

Regular expressions wouldn't catch the newlines or possibly other control characters. Now we'll use the TAG validation code to make sure the inputs are only plain ASCII printables first. Fixes CVE-2018-12972, CVE-2020-35476

Regular expressions wouldn't catch the newlines or possibly other
control characters. Now we'll use the TAG validation code to make
sure the inputs are only plain ASCII printables first.
Fixes CVE-2018-12972, CVE-2020-35476
@manolama manolama merged commit 07c4641 into OpenTSDB:master Apr 11, 2023
@oxeye-daniel

Copy link
Copy Markdown

@manolama - this seems to fix the RCE we reported before Synopsis on Dec 12, 2022. Seems like they have also issued a CVE for the vulnerability we found. Could you please open a Github security advisory? Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants