The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)
References
Link | Resource |
---|---|
https://github.com/GuillaumePetit84/CVE-2020-35488 | Exploit Mitigation Third Party Advisory |
https://gitlab.com/nxlog-public/nxlog-ce/-/blob/master/ChangeLog.txt#L2 | Release Notes Third Party Advisory |
Configurations
History
29 Apr 2022, 12:45
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://gitlab.com/nxlog-public/nxlog-ce/-/blob/master/ChangeLog.txt#L2 - Release Notes, Third Party Advisory | |
CPE | cpe:2.3:a:nxlog:nxlog:*:*:*:*:community:*:*:* |
03 Mar 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Jan 2021, 17:24
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/GuillaumePetit84/CVE-2020-35488 - Exploit, Mitigation, Third Party Advisory | |
CPE | cpe:2.3:a:nxlog:nxlog:2.10.2150:*:*:*:community:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 7.5 |
CWE | CWE-502 |
05 Jan 2021, 15:48
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-01-05 15:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-35488
Mitre link : CVE-2020-35488
CVE.ORG link : CVE-2020-35488
JSON object : View
Products Affected
nxlog
- nxlog
CWE
CWE-502
Deserialization of Untrusted Data