CVE-2026-45179
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses.
If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked.
Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| RRWO | Plack::Middleware::Statsd | 0 < 0.9.0 | affected |
Weaknesses
- CWE-319: CWE-319 Cleartext Transmission of Sensitive Information
Workarounds
Use a statsd daemon on the same host or through a secure communications channel.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx
- https://metacpan.org/release/RRWO/Plack-Middleware-Statsd-v0.9.0/changes
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.