CVE-2017-12588

The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
rsyslogrsyslog
𝑥
≤ 8.27.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rsyslog
bullseye
8.2102.0-2+deb11u1
fixed
bullseye (security)
8.2102.0-2+deb11u1
fixed
bookworm
8.2302.0-1
fixed
sid
8.2410.0-1
fixed
trixie
8.2410.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rsyslog
zesty
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://github.com/rsyslog/rsyslog/blob/master/ChangeLog
https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b
https://github.com/rsyslog/rsyslog/pull/1565
https://github.com/rsyslog/rsyslog/blob/master/ChangeLog
https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b
https://github.com/rsyslog/rsyslog/pull/1565
https://security.netapp.com/advisory/ntap-20241227-0009/