CVE-2017-12588

CRITICAL

Rsyslog < 8.27.0 - Format String Vulnerability

Title source: rule

Description

The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.

References (4)

[Patch, Third Party Advisory] https://github.com/rsyslog/rsyslog/pull/1565

[Third Party Advisory] https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b

[Release Notes, Third Party Advisory] https://github.com/rsyslog/rsyslog/blob/master/ChangeLog

View Writeup ZIP pw:eip

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20241227-0009/

Scores

CVSS v3 9.8

EPSS 0.0043

EPSS Percentile 62.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-134

Status published

Products (1)

rsyslog/rsyslog < 8.27.0

Published Aug 06, 2017

Tracked Since Feb 18, 2026