An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of webclientapirequestv1data in web/api/webapi_v1.c.
{ "vanir_signatures": [ { "id": "CVE-2018-18837-1abb3bcc", "digest": { "threshold": 0.9, "line_hashes": [ "66543347973657702719146160550183012649", "338539389829895664211686211858862033147", "181613397865496398390060114766203357490", "311939904960053635228447904840087471795", "69162383861090423052578740815008696676", "295754951258971798843125484558902277741" ] }, "signature_version": "v1", "deprecated": false, "target": { "file": "web/api/web_api_v1.c" }, "signature_type": "Line", "source": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca" }, { "id": "CVE-2018-18837-8953f44d", "digest": { "length": 4676.0, "function_hash": "204881456466600532908895856298960794977" }, "signature_version": "v1", "deprecated": false, "target": { "file": "web/api/web_api_v1.c", "function": "web_client_api_request_v1_data" }, "signature_type": "Function", "source": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca" }, { "id": "CVE-2018-18837-a1c71538", "digest": { "threshold": 0.9, "line_hashes": [ "179904335846742252483163393046264994826", "190346668020436203569205258275860151209", "168848541308149862787108906740940067034", "149049622975872964869544566748975749382" ] }, "signature_version": "v1", "deprecated": false, "target": { "file": "libnetdata/url/url.c" }, "signature_type": "Line", "source": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca" }, { "id": "CVE-2018-18837-f8c8e8f7", "digest": { "length": 450.0, "function_hash": "145019406472654216900235053973844180715" }, "signature_version": "v1", "deprecated": false, "target": { "file": "libnetdata/url/url.c", "function": "url_decode_r" }, "signature_type": "Function", "source": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca" } ] }