Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN596
_____________________________________________________________________

DATE                : 05/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Net::Async::Statsd::Client for
                       Perl versions up to and including 0.005,
              Net::Statsd for Perl versions up to and including 0.13,
         Etsy::StatsD for Perl versions up to and including 1.002002.

=====================================================================
https://lists.security.metacpan.org/cve-announce/msg/40684837/
https://lists.security.metacpan.org/cve-announce/msg/40702251/
https://lists.security.metacpan.org/cve-announce/msg/40702581/
_____________________________________________________________________

CVE-2026-8722: Net::Async::Statsd::Client versions through 0.005 for
Perl allow metric injections Robert Rothenberg 03 Jun 2026 23:47 UTC

========================================================================
CVE-2026-8722                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8722
   Distribution:  Net-Async-Statsd
       Versions:  through 0.005

       MetaCPAN:  https://metacpan.org/dist/Net-Async-Statsd
       VCS Repo:  https://github.com/team-at-cpan/Net-Async-Statsd

Net::Async::Statsd::Client versions through 0.005 for Perl allow metric
injections

Description
-----------
Net::Async::Statsd::Client versions through 0.005 for Perl allow metric
injections.

The metric names are not checked for newlines, colons or pipes. Metrics
generated from untrusted sources could inject additional statsd
metrics.

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Workarounds
-----------
Ensure only trusted data is submitted to metrics.

References
----------
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720

_____________________________________________________________________

CVE-2026-46739: Net::Statsd versions before 0.13 for Perl allow metric
injections Robert Rothenberg 04 Jun 2026 15:46 UTC

========================================================================
CVE-2026-46739                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-46739
   Distribution:  Net-Statsd
       Versions:  before 0.13

       MetaCPAN:  https://metacpan.org/dist/Net-Statsd
       VCS Repo:  https://github.com/cosimo/perl5-net-statsd

Net::Statsd versions before 0.13 for Perl allow metric injections

Description
-----------
Net::Statsd versions before 0.13 for Perl allow metric injections.

The metric names are not checked for newlines, colons or pipes. Metrics
generated from untrusted sources could inject additional statsd
metrics.

The update_stats (used for updating counters) and gauge methods do not
check that values are numeric (which would block metric injection).

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Workarounds
-----------
Apply the linked pull request.

Otherwise ensure only trusted data is submitted to metrics.

Solutions
---------
Upgrade to version 0.13 or later.

References
----------
https://github.com/cosimo/perl5-net-statsd/pull/10
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720


_____________________________________________________________________

CVE-2026-46741: Etsy::StatsD versions through 1.002002 for Perl allow
metric injections Robert Rothenberg 04 Jun 2026 15:55 UTC

========================================================================
CVE-2026-46741                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-46741
   Distribution:  Etsy-StatsD
       Versions:  through 1.002002

       MetaCPAN:  https://metacpan.org/dist/Etsy-StatsD
       VCS Repo:  https://github.com/sanbeg/Etsy-Statsd

Etsy::StatsD versions through 1.002002 for Perl allow metric injections

Description
-----------
Etsy::StatsD versions through 1.002002 for Perl allow metric
injections.

The metric names and values are not checked for newlines, colons or
pipes. Metrics generated from untrusted sources could inject additional
statsd metrics.

Note that the git repository contains an unreleased version with the
gauge and set methods that also do not check for potential metric
injections.

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Workarounds
-----------
Ensure only trusted data is submitted to metrics.

References
----------
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================