6
responses
responses
The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)
Is there a fix available for this security vulnerability?
https://nvd.nist.gov/vuln/detail/CVE-2020-35488
Comments (5)
Sure, thanks for fast response.
Done; see https://gitlab.com/nxlog-public/nxlog-ce/-/issues/16
Oh, btw, there is already an issue for this.
Please take a look: https://gitlab.com/nxlog/nxlog/-/issues/3052
If you want more info or still have a questions it may worth to put them straight to this issue.
But it's up to you how do you want to proceed with this.
Sorry, saw your response too late; I created a new one: https://gitlab.com/nxlog-public/nxlog-ce/-/issues/16, you can se them as duplicate.
Not a problem at all.
Someone from development will review it and will do something, maybe close as duplicate with a link to an actual ticket.
Anyway thank you for your attention.
Sincerely, Arch